[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] Set MTU on netkey
From: Leto <letoams () gmail ! com>
Date: 2013-09-13 13:18:15
Message-ID: 5D6C9383-103C-4088-9FA8-7400742ED751 () gmail ! com
[Download RAW message or body]
check with: ip route list
when tunnel is up.
ping uses icmp, not the best for checking mtu
sent from a tiny device
On 2013-09-13, at 4:23, "Ozai" <ozai.tien@gmail.com> wrote:
> Hi Sirs,
>
> Only add mtu= in the conn as below.It did not seem to work.
> I try to ping peer site ipsec router from our lan site pc.(test environment as \
> below) ping -l 1200 195.168.11.X
> And try to capture wan site packet to check.
> I found the packet size always keep on 12XX.It did not seem to fragment the packet.
>
> Do you have any suggestions on this question??Thank's.
> And Sorry for my poor English.
>
> config setup
> nat_traversal=no
> oe=off
> protostack=netkey
> interfaces=%defaultroute
>
> conn test
> left=182.16.23.74
> leftsubnet=195.168.12.0/24
> rightsubnet=195.168.11.0/24
> connaddrfamily=ipv4
> right=182.16.23.108
> ike=3des-md5;modp1024
> ikelifetime=480m
> type=tunnel
> salifetime=60m
> phase2alg=3des-hmac_md5
> pfs=no
> phase2=esp
> mtu=1000
> keyexchange=ike
> authby=secret
> auto=add
>
> peer ipsec------(wan site 182.16.23.X)--------openswan-------(lan site \
> 195.168.12.X)--------pc
> Best Regards,
> Ozai
> ----- Original Message -----
> From: Leto
> To: Nick Howitt
> Cc: users@lists.openswan.org
> Sent: Friday, September 13, 2013 12:20 AM
> Subject: Re: [Openswan Users] Set MTU on netkey
>
> no. overridemtu= is klips only and works on the ipsecX interface. mtu= is passed \
> via _updown to ip route - works on all stacks
> sent from a tiny device
>
> On 2013-09-12, at 9:27, Nick Howitt <n1ck.h0w1tt@gmail.com> wrote:
>
> > Isn't mtu on the conn in klips only? Not netkey.
> >
> > On 2013-09-12 14:18, Leto wrote:
> >
> > > mtu= in the conn should do that
> > >
> > > sent from a tiny device
> > >
> > > On 2013-09-12, at 3:00, "Ozai" <ozai.tien@gmail.com> wrote:
> > >
> > > > Dear Sirs,
> > > >
> > > > How do I set the mtu for the IPSec tunnel?My test environment is openswan \
> > > > 2.6.38 with embedded linux and protostack is netkey.iptables??Can someone \
> > > > point me in the right direction?Thank's.
> > > > Best Regards,
> > > > Ozai
> > > > _______________________________________________
> > > > Users@lists.openswan.org
> > > > https://lists.openswan.org/mailman/listinfo/users
> > > > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > > Building and Integrating Virtual Private Networks with Openswan:
> > > > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > >
> > > _______________________________________________
> > > Users@lists.openswan.org
> > > https://lists.openswan.org/mailman/listinfo/users
> > > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > Building and Integrating Virtual Private Networks with Openswan:
> > > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > _______________________________________________
> > Users@lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> _______________________________________________
> Users@lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[Attachment #3 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>check with: ip route list</div><div>when \
tunnel is up.</div><div>ping uses icmp, not the best for checking \
mtu <br><br>sent from a tiny device </div><div><br>On 2013-09-13, at 4:23, \
"Ozai" <<a href="mailto:ozai.tien@gmail.com">ozai.tien@gmail.com</a>> \
wrote:<br><br></div><blockquote type="cite"><div>
<meta content="text/html; charset=iso-8859-1" http-equiv="Content-Type">
<meta name="GENERATOR" content="MSHTML 8.00.6001.23520">
<style></style>
<div><font color="#0000ff" face="Verdana">Hi Sirs,</font></div>
<div><font color="#0000ff" face="Verdana"></font> </div>
<div><font color="#0000ff" face="Verdana">Only add mtu= in the conn as below.It did
not seem to work.</font></div>
<div><font color="#0000ff" face="Verdana">I try to ping peer site ipsec router from
our lan site pc.(test environment as below) </font></div>
<div><font color="#0000ff" face="Verdana">ping -l 1200 195.168.11.X </font></div>
<div><font color="#0000ff" face="Verdana">And try to capture wan site packet to
check.</font></div>
<div><font color="#0000ff" face="Verdana">I found the packet size always keep on
12XX.It did not seem to fragment the packet.</font></div>
<div><font color="#0000ff" face="Verdana"></font> </div>
<div><font color="#0000ff" face="Verdana">Do you have any suggestions on this
question??Thank's.</font></div>
<div><font color="#0000ff" face="Verdana">And Sorry for my poor
English.</font></div>
<div><font color="#0000ff" face="Verdana"></font> </div>
<div><font color="#0000ff" face="Verdana">config
setup<br> \
nat_traversal=no<br> \
oe=off<br> \
protostack=netkey<br> \
interfaces=%defaultroute</font></div>
<div><font color="#0000ff" face="Verdana"></font> </div>
<div><font color="#0000ff" face="Verdana">conn
test<br> \
left=182.16.23.74<br> \
leftsubnet=195.168.12.0/24<br> \
rightsubnet=195.168.11.0/24<br> \
connaddrfamily=ipv4<br> \
right=182.16.23.108<br> \
ike=3des-md5;modp1024<br> \
ikelifetime=480m<br> \
type=tunnel<br> \
salifetime=60m<br> \
phase2alg=3des-hmac_md5<br> \
pfs=no<br> \
phase2=esp<br> \
mtu=1000<br> \
keyexchange=ike<br> \
authby=secret<br> \
auto=add</font></div>
<div><font color="#0000ff" face="Verdana"></font> </div>
<div><font color="#0000ff" face="Verdana">peer ipsec------(wan site
182.16.23.X)--------openswan-------(lan site
195.168.12.X)--------pc</font></div>
<div><font color="#0000ff" face="Verdana"> </font></div>
<div><font color="#0000ff" face="Verdana">Best Regards,</font></div>
<div><font color="#0000ff" face="Verdana">Ozai</font></div>
<blockquote style="BORDER-LEFT: #0000ff 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: \
0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px"> <div style="FONT: 10pt \
新細明體">----- Original Message ----- </div> <div style="FONT: 10pt \
新細明體; BACKGROUND: #e4e4e4; font-color: black"><b>From:</b> <a \
title="letoams@gmail.com" href="mailto:letoams@gmail.com">Leto</a> </div> <div \
style="FONT: 10pt 新細明體"><b>To:</b> <a title="n1ck.h0w1tt@gmail.com" \
href="mailto:n1ck.h0w1tt@gmail.com">Nick Howitt</a> </div> <div style="FONT: 10pt \
新細明體"><b>Cc:</b> <a title="users@lists.openswan.org" \
href="mailto:users@lists.openswan.org">users@lists.openswan.org</a> </div> <div \
style="FONT: 10pt 新細明體"><b>Sent:</b> Friday, September 13, 2013 12:20 \
AM</div> <div style="FONT: 10pt 新細明體"><b>Subject:</b> Re: [Openswan Users] \
Set MTU on netkey</div>
<div><font color="#0000ff" size="2" face="Verdana"></font><font color="#0000ff" \
size="2" face="Verdana"></font><br></div> <div>no. overridemtu= is klips only and \
works on the ipsecX interface. mtu= is passed via _updown to ip route - works on \
all stacks <br><br>sent from a tiny device </div>
<div><font color="#0000ff" size="2" face="Verdana"></font><font color="#0000ff" \
size="2" face="Verdana"></font><br>On 2013-09-12, at 9:27, Nick Howitt <<a \
href="mailto:n1ck.h0w1tt@gmail.com">n1ck.h0w1tt@gmail.com</a>> \
wrote:<br><br></div> <blockquote type="cite">
<div>
<p>Isn't mtu on the conn in klips only? Not netkey.</p>
<p>On 2013-09-12 14:18, Leto wrote:</p>
<blockquote style="BORDER-LEFT: #1010ff 2px solid; PADDING-LEFT: 5px; \
MARGIN-LEFT: 5px" type="cite"><!-- html ignored --><!-- head ignored --><!-- meta \
ignored --> <div>mtu= in the conn should do that<br><br>sent from a tiny
device </div>
<div><br>On 2013-09-12, at 3:00, "Ozai" <<a \
href="mailto:ozai.tien@gmail.com">ozai.tien@gmail.com</a>> wrote:<br><br></div>
<blockquote style="BORDER-LEFT: #1010ff 2px solid; PADDING-LEFT: 5px; \
MARGIN-LEFT: 5px" type="cite"> <div><!-- meta ignored -->
<div>
<div><span style="FONT-FAMILY: Verdana; COLOR: #0000ff; FONT-SIZE: \
small">Dear Sirs,</span></div>
<div><span style="FONT-FAMILY: Verdana; COLOR: #0000ff; FONT-SIZE: \
small"></span> </div>
<div><span style="FONT-FAMILY: Verdana; COLOR: #0000ff; FONT-SIZE: small">How \
do I set the mtu for the IPSec tunnel?My test environment is
openswan 2.6.38 with embedded linux and protostack is
netkey.iptables??Can someone point me in the right
direction?Thank's.</span></div>
<div><span style="FONT-FAMILY: Verdana; COLOR: #0000ff; FONT-SIZE: \
small"></span> </div>
<div><span style="FONT-FAMILY: Verdana; COLOR: #0000ff; FONT-SIZE: \
small">Best Regards,</span></div>
<div><span style="FONT-FAMILY: Verdana; COLOR: #0000ff; FONT-SIZE: \
small">Ozai</span></div></div></div></blockquote>
<blockquote style="BORDER-LEFT: #1010ff 2px solid; PADDING-LEFT: 5px; \
MARGIN-LEFT: 5px" type="cite"> \
<div><span>_______________________________________________</span><br><span><a \
href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a></span><br><span><a \
href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Micropayments: \
<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br><span>Building \
and Integrating Virtual Private Networks with
Openswan:</span><br><span><a \
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http:/ \
/www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span></div></blockquote><!-- \
html ignored --><br><pre>_______________________________________________ <a \
href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a> <a \
href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre></blockquote></div></blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br><span><a \
href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a></span><br><span><a \
href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Micropayments: \
<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br><span>Building \
and Integrating Virtual Private Networks with Openswan:</span><br><span><a \
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http:/ \
/www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br></div></blockquote>
<p>
</p><hr>
<p></p>_______________________________________________<br><a \
href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br><a \
href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments: \
<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building \
and Integrating Virtual Private Networks with
Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-294632 \
7?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br></blockquote>
</div></blockquote></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic