Hi Tommi, thanks for your help, tcp-mss "solve" the problem.. But is that the only solution to solve mtu problems with the ipsec from kernel 2.6?
Regards Andreas Tommi Kyntola schrieb am 17.08.2010 um 13:55 Uhr > Hi, we have had numerous problems with icmp type 3, code 4 (i.e. frag needed) > packets getting blocked by misconfigured third-party firewalls. The only > viable choice for us to avoid tcp-blackholes in those cases was to make sure the > packets fit the MTUs along the path to begin with. Because in our case it was all > tcp traffic inside the tunnels it was sufficient to use the mangle table and > TCPMSS clamping (e.g. --set-mss 1300). Naturally that has an impact > on tcp throughput, but for us that was not an issue.. Hope that > helps. cheers, Tommi Kyntola On 08/17/10 13:58, > Andreas Muerdter wrote: > Hi List, > > I know the > problem. The packets from RDP are to big and needs to frag. > The Kernel 2.6 send > the icmp packet "need to frag" to the client, but with the external IP > address of > the VPN Server. > The packet is not send over the VPN tunnel it is send plain over > the external interface. > That means that this packet is not received by the > client. > > In my case I have a net2net VPN > 10.1.0.0/16<=> 10.3.0.0/16 over a third VPN Server with the external IP > 192.168.100.2 > and this IP is used for the ICMP packet. > > 11:59:10.227180 > 192.168.100.2> 10.1.1.101: icmp: 10.3.10.10 unreachable - need to frag (mtu > 1446) [tos > 0xc0] > > Do any know this problem and have a > solution? > > Regards > > Andreas > > Hi list, > > I have > two VPN tunnels with 3 Server > (net2net). > > > |HostA| --- |HostB|---|HostC| > > HostA and > HostC > is running with strongswan 2.8.11 and Host B is running with strongswan > 4.4.1. ICMP between all nets > binhind the hosts A,B,C is OK. But when I try to > connect via RDP from Net A (HostA) to Net C (HostC) > over HostB, the RDP > connection will not establish. > The same happens from NET C to NET > A > over Host B. > But I can connect from Net B to Net A and Net > C via RDP without any problems. > It seems that Host B do not forward all traffic > to the other nets with a > higher package size. > It is not a > iptables problem, it seem like mtu in the ipsec or > someting > else. > > any >> > ideas? > > Regards > > Andreas > > > > > > _______________________________________________ > Users >> > mailing >> > list > > > > > > > > > > _______________________________________________ > Users mailing > list > [email protected] > > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
