Re: [leaf-user] PPPoE, IPSec and MTU size problems

Wed, 12 Feb 2003 08:11:27 -0800 

Todd Pearsall wrote:

The saga continues...

I tried a couple things based on help from Charles S. (some day I want
my 1st name and last initial to be all I need to be recognized ;)) and
some of the folks on the FreeSWAN list.

Here's what I tried individually with reboots in between to be sure:
In Shorewall Config tried
	CLAMPMSS=Yes

In Shorewall Config tried
	CLAMPMSS=1300

In Ipsec.conf
	overridemtu=1200   (I was sure that was going to do it)

In all three cases he regular traffic flows fine, but no large packets
through the VPN from the local side out.  I found it interesting that
the remote vpn side and connect and transfer data no problem.

I also tried in pppoe.conf
	CLAMPMSS=1412
But in that case no traffic could pass the router vpn or not.

I feel that I'm on the brink of getting it, but at this point am mostly
playing with these paramters with trial and error.  Any more ideas would
be greatly appreciated.
Have you tried changing the MTU on your internal machines, and/or sniffing the traffic to see what it looks like?

The problem you describe (packets unable to traverse in one direction, regardless of router settings) could easily be caused by large packets sent with the "don't fragment" option set in the IP header. This will prevent the router from being able to process the packet (it can't be fragmented, and it can't fit through the MTU of the VPN, so it gets dropped). Typically an ICMP message is sent to the originating machine, indicating the packet was dropped.

The CLAMPMSS and overridemtu settings are "band-aids" that try to compensate for this problem, but don't address the fundamental issue, which is caused by the originating IP stack or application not dealing with a small MTU in the middle of a route.

I suspect you'll make more headway by sniffing your problematic traffic at this point...once you figure out what's wrong, an appropriate fix will likely present itself.

Note that you can get tcpdump for LEAF, which I find very handy in these situations.

--
Charles Steinkuehler
[EMAIL PROTECTED]




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to