Google Gruppi non supporta più i nuovi post o le nuove iscrizioni Usenet. I contenuti storici continuano a essere visibili.
Dismiss

OpenSwan <--> FreeSwan mtu size problem

0 visualizzazioni
Passa al primo messaggio da leggere

Joerg Morbitzer

da leggere,
22 giu 2004, 06:38:4322/06/04
a

Hi all,

I am running several FressSwan VPNs accross the world (mostly version
1.96 with kernel 2.4.2x). Now I thought it is time to give OpenSwan
(2.1.3) with kernel-2.6.6 a chance, so I upgraded one of my VPN gateways.

I am able to establish a tunnel between OpenSwan and FreeSwan (both ends
are connected to DSL lines via ppp/pppoe), I can ping machines on the
internal networks and you can surf or transfer very small files, but I
can't copy large files because the connection stalls. It looks like some
messed up mtu values between FreeSwan and OpenSwan (a look at Google
confirmed that - Google didn't find a solution for my problem though).
Does anybody know what mtu size I need to use? I tried different mtu
sizes on my ppp connections (1412, 1452 for example) and I also tried to
force a different mtu size with "overridemtu" in /etc/ipsec.conf -
without any improvement. Setting up mss clamping using iptables didn't
help either.

A connection between two OpenSwan gateways works fine. As I don't want
to uprade all of my gateway machines to OpenSwan at the same time I
would like to find a solution for my problem.


Any ideas are welcome.


Thanks in advance, Joerg.

David Efflandt

da leggere,
23 giu 2004, 20:54:0623/06/04
a

How is each end connected to the internet, directly with pppoe, or behind
a broadband router?

A clue might be that I had no problem with any connections initiated from
behind a broadband router to internet. And when I forwarded port 25 to
internal smtp server, I had no problem receiving small test messages.
But when I tried to send larger image attachments from work to home,
sendmail kept reporting "timeout waiting for data transfer" and at that
point the sending server kept attempting to reconnect and resend.

The solution in that case was to set mtu of sendmail server LAN nic to
same mtu as PPPoE connection on router (1492 in my case, which is max
PPPoE mtu, due to 8-byte header). Suddenly the mail that had been timing
out arrived.

As long as you have ping response enabled on internet side at both ends,
you could determine max mtu by using ping with -M do and -s (data size in
bytes) from one to internet side of other. Max -s + 28 = max mtu (for
example -s 1464 + 28 = 1492 max mtu).

But if opening a firewall for ipsec, you have to be aware of the
difference between "ports" and "protocols" (If I remember right,
protocol 50 needs to be allowed in along with port 500 to establish an
ipsec connection). And something in ipsec related scripts needs to open
the firewall for the ipsec tunnel (if the firewall box is making the
connection). Or the router (if any) needs to be configured to allow ipsec
passthrough.

--
David Efflandt - All spam ignored http://www.de-srv.com/

0 nuovi messaggi