[Vpn-help] MTU packet problems on Linux ...
Rodrigo Ferroni
rferroni at gmail.com
Wed Dec 12 15:58:10 CST 2007
Matthew:
You are right, the problem was related whit the mtu and fragmentation
packet.
First i tried to use ike_frag option (client and server) whit "force", but i
had the same result.
Then i look in racoon.conf we have the esp_frag, like said the man, this
option is for nat-t in tunnel mode,
fragmenting the ip packet before the esp encapsulation. this help to work
with adsl routers
that reject UDP fragments. Well didn't work nether because racoon log send
me a warning:
"552" Your kernel does not support esp_frag. I didn't find what is the
kernel module is related
whit this.
Using iptables couldn't understand well the chain in the mangle table tcpmss
(maximun segment size)
(-j TCPMSS --clamp-mss-to-pmtu or --set-mss). this is other thing to keep
trying.
So for now i solve the problem whit another solution, more simple,
i decrease the mtu size of the interface that is waiting for the vpn
connections.
(eth2 mtu: 1300, the default is 1500)
Thanks again mathew for all your help.
Rodrigo.
2007/12/11, Matthew Grooms <mgrooms at shrew.net>:
>
> Rodrigo Ferroni wrote:
> >
> > Matthew:
> >
> > I try the vpn-client with the routefix and It works !!!
> > Now the route is add correctly.
> > The XP is a professional version 2002 with SP2.
> > If you want i can send you the ike service log.
> > thanks for your help to solve this route issues.
> >
>
> Rodrigo,
>
> Your other problem look like a classic MTU and fragmentation related
> issue. Have you looked into fragment handling on your debian box? I
> assume you are using iptables. It may be that there are extra rules or
> options required to handle this situation. I know its neccessary with pf
> or ipf. Please see the rather shabby blurb at the bottom of this link to
> the client documentation ...
>
>
> http://www.shrew.net/vpn/help-2.0.3/files/%7BB2C7CFEE-88C6-408E-A080-869E51E5737F%7D.htm
>
> If that doesn't help, Another thing to look into would be enabling MSS
> clamping. You may find this link useful although they is intended for a
> NetBSD audience.
>
> http://www.netbsd.org/docs/network/ipsec/rasvpn.html#ike_frag
> http://www.netbsd.org/docs/network/ipsec/rasvpn.html#more_frag
>
> Here is another link that provides a similar work around for linux and
> iptables. The issues they describe are related to PPTP connections but
> the problem resolution should be the same.
>
>
> http://www.linux.org/docs/ldp/howto/Adv-Routing-HOWTO/lartc.cookbook.mtu-mss.html
>
> I will expand this section of the client user documentation before the
> 2.1.0 release to make sure this issue is more clear.
>
> Hope this helps,
>
> -Matthew
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071212/b3cef4fb/attachment-0002.html>
More information about the vpn-help
mailing list