James Muir | 3 Jan 03:22 2009
Picon

Re: [Openswan Users] mtu problems

James Muir wrote:
> Is there something analogous to overridemtu= that I can set with NETKEY? 
>   I have tried changing the MTU value on eth0 using ifconfig, but that 
> did not seem to help.

any hints on this one?  If I knew where the mtu was set in the openswan 
code, I could try recompiling with a hard coded value...

I am anticipating that someone will say use KLIPS rather than NETKEY :-(

incidentally, the KLIPS module fails to build on my machine (kernel 
2.6.24, openswan 2.6.19):

make[2]: Entering directory `/usr/src/linux-source-2.6.24'

   WARNING: Symbol version dump /usr/src/linux-source-2.6.24/Module.symvers
            is missing; modules will have no dependencies and modversions.

ln -s -f /scratch/openswan-2.6.19/linux/net/ipsec/ipsec_init.c 
/scratch/openswan-2.6.19/modobj26/ipsec_init.c
   CC [M]  /scratch/openswan-2.6.19/modobj26/ipsec_init.o
In file included from /scratch/openswan-2.6.19/modobj26/ipsec_init.c:57:
include/net/ip.h: In function ‘ip_hdrlen’:
include/net/ip.h:49: error: ‘const struct sk_buff’ has no member named ‘nh’

-James
_______________________________________________
Users <at> openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
(Continue reading)

Paul Wouters | 3 Jan 14:58 2009

Re: [Openswan Users] mtu problems

On Fri, 2 Jan 2009, James Muir wrote:

> James Muir wrote:
> > Is there something analogous to overridemtu= that I can set with NETKEY? 
> >   I have tried changing the MTU value on eth0 using ifconfig, but that 
> > did not seem to help.
> 
> any hints on this one?  If I knew where the mtu was set in the openswan 
> code, I could try recompiling with a hard coded value...

Did you set the mtu on both ends?

> incidentally, the KLIPS module fails to build on my machine (kernel 
> 2.6.24, openswan 2.6.19):

try 2.6.20rc1 from testing/

Paul
_______________________________________________
Users <at> openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

James Muir | 4 Jan 04:06 2009
Picon

Re: [Openswan Users] mtu problems

Paul Wouters wrote:
> On Fri, 2 Jan 2009, James Muir wrote:
> 
>> James Muir wrote:
>>> Is there something analogous to overridemtu= that I can set with NETKEY? 
>>>   I have tried changing the MTU value on eth0 using ifconfig, but that 
>>> did not seem to help.
>> any hints on this one?  If I knew where the mtu was set in the openswan 
>> code, I could try recompiling with a hard coded value...
> 
> Did you set the mtu on both ends?

no.  I am using openswan only on my end; the other end is a sonicwall. 
I am not able to set the mtu on the sonicwall.

Just to recap, after I connect to the sonicwall

this works:  ping -s 1402

this does not:  ping -s 1403

The larger packet size causes an "icmp fragmentation needed" response.

the freeswan faq suggests that I should try using the option 
overridemtu= to fix this, but this option is for KLIPS only.  Is there 
something that can be done with NETKEY??

>> incidentally, the KLIPS module fails to build on my machine (kernel 
>> 2.6.24, openswan 2.6.19):
> 
(Continue reading)

Paul Wouters | 4 Jan 07:51 2009

Re: [Openswan Users] mtu problems

On Sat, 3 Jan 2009, James Muir wrote:

> no.  I am using openswan only on my end; the other end is a sonicwall. 
> I am not able to set the mtu on the sonicwall.
> 
> Just to recap, after I connect to the sonicwall
> 
> this works:  ping -s 1402
> 
> this does not:  ping -s 1403
> 
> The larger packet size causes an "icmp fragmentation needed" response.
> 
> the freeswan faq suggests that I should try using the option 
> overridemtu= to fix this, but this option is for KLIPS only.  Is there 
> something that can be done with NETKEY??
> 
> >> incidentally, the KLIPS module fails to build on my machine (kernel 
> >> 2.6.24, openswan 2.6.19):
> > 
> > try 2.6.20rc1 from testing/
> 
> If there is zero possibility of correcting the mtu size with the NETKEY 
> stack, then I will give KLIPS a try.  However, my feeling is that it 
> should be possible make NETKEY work.

With netkey, you can do something like:

ip route change 1.2.3.0/24 via gwip mtu 1400

(Continue reading)

James Muir | 4 Jan 20:46 2009
Picon

Re: [Openswan Users] mtu problems

Paul Wouters wrote:
> With netkey, you can do something like:
> 
> ip route change 1.2.3.0/24 via gwip mtu 1400
> 
> in the updown script

I think you are suggesting that I change the mtu value on my network
interface.  I've already given that a try:

ifconfig eth0 mtu 1400

However, this doesn't seem to solve my problem.  There is still a 
threshold packet-size beyond which my ip packets do not make it into the 
private network (e.g. "ping -s 1410" works but "ping -s 1411" does not).

 From what I see in wireshark, it looks like an icmp fragmentation 
issue.  I cannot send fragmented packets through the tunnel.

Is there a particular reason (related to the ipsec protocol) why the 
sonicwall appliance might disallow fragmented packets?  Perhaps openswan 
is not fragmenting the way that the sonicwall expects.

-James

_______________________________________________
Users <at> openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
(Continue reading)

James Muir | 10 Jan 21:19 2009
Picon

Re: [Openswan Users] mtu problems

> However, this doesn't seem to solve my problem.  There is still a 
> threshold packet-size beyond which my ip packets do not make it into the 
> private network (e.g. "ping -s 1410" works but "ping -s 1411" does not).

Problem solved.

It turned out that my router was using an mtu of 1400 while eth0 was 
using an mtu of 1500.  Changing the router's mtu to 1500 fixed things. 
My guess is that openswan with netkey does not do path MTU discovery (or 
at least it does not do it correctly).

btw, I discovered that the command  ping -s SIZE  is not the most 
reliable way to determine if your tunnel has icmp fragmentation 
problems.  many machines will not reply to an icmp echo command that is 
fragmented (e.g. ping -c 2 -s 1600 yahoo.com  works, but ping -c 2 -s 
1600 google.com  does not.)

It is possible that  ifconfig eth0 mtu 1400  would also have fixed my 
problem -- if it did, I didn't notice because the machine I was trying 
to ping doesn't respond to fragmented icmp echo commands.

-James
_______________________________________________
Users <at> openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


Gmane