[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Fragmented packets issue.
From: "cipher" <cipher () megamail ! pt>
Date: 2008-07-25 11:21:34
Message-ID: 10090.82.155.8.59.1216984894.megamail () www ! megamail ! pt
[Download RAW message or body]
Hello,
Thank you very much for aswering. The issue here is also that i am having
trouble with udp fragmented packets. The netfilter rules i found apply to tcp
traffic.
What do you think could solve this?
Thanks in advance for your time,
C
> Hi,
>
> the overridemtu and interfaces parameters are for the old FreeS/WAN
> KLIPS IPsec stack only and do not have any significance for the
> native IPsec stack of the Linux 2.6 kernel which does not have any
> ipsecX intefaces.
>
> One way to solve MTU problems is to reduce the MTU of the outgoing
> interface
>
> ifconfig eth0 mtu 1400
>
> which reduces the MTU for all traffic though. A more elegant way
> is to apply MSS clamping to TCP traffic using netfilter rules.
> Google the Internet for the exact way to do that.
>
> Best regards
>
> Andreas
>
> cipher wrote:
>> Hi all,
>>
>> I am currently running strongswan 2.8.8 in a set of 2 (two) security
>> gateways
>> with private networks behind each one of them. Both running 2.8.8, 2.6.20.6
>> and 2.6.21.5 linux kernel versions.
>> everything has been working fine until i started to get problems with
>> fragmented packets. To solve this i tried to use the "overridemtu" and
>> "interfaces" parameters on both gateways:
>>
>> -> gateway 1
>>
>> config setup
>> #plutodebug=control
>> crlcheckinterval=180
>> strictcrlpolicy=no
>> interfaces="ipsec0=eth0 ipsec1=eth1"
>> overridemtu=16260
>> plutodebug=all
>> #fragicmp=yes
>>
>> -> gateway 2
>>
>> config setup
>> #plutodebug=control
>> crlcheckinterval=180
>> strictcrlpolicy=no
>> interfaces="ipsec0=eth0"
>> overridemtu=16260
>> plutodebug=all
>> #fragicmp=yes
>>
>> The problem is, when a big packet reaches the gateway to be tunneled and has
>> to be fragmented, nothing happens and the packet never appears on the other
>> gateway. I also never get an ipsecX interface and i presume that might be
>> the
>> problem...
>> Gateway 1 has got 2 interfaces. I am not sure if i have to configure 1
>> interface for each physical interface or if the ipsecX interface is only
>> need
>> in the interface sending encrypted traffic.
>>
>> On both gateways i can see an ipsecX interface catting /var/run/ipsec.info
>>
>> user@XxX:~# cat /var/run/ipsec.info
>> defaultroutephys=eth0
>> defaultroutevirt=ipsec0
>> defaultrouteaddr=1.2.3.4
>> defaultroutenexthop=5.5.7.8
>>
>> Anyway ifconfig doesn't output any ipsecX interface nor "ip route show"
>>
>> Is there a way fragmented packets could go across both gateways and reach
>> their destination?
>>
>> Thank you very much in advance!
>>
>>
>>
>>
>> ---
>>
>> _______________________________________________
>> Users mailing list
>> Users@lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen@strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
---
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic