Re: ipsec troubles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the fast reply ...

So you are saying I should use a value of 1440 for X ?
What rule do I apply it too ? (sorry to sound stupid .. brain is fried ..
have been working on this for a long time).

Peter


----- Original Message ----- 
From: "Jason Opperisano" <opie@xxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Friday, October 15, 2004 3:10 PM
Subject: Re: ipsec troubles


On Fri, Oct 15, 2004 at 03:00:03PM -0300, Peter Marshall wrote:
> Hi everyone.  I have two firewalls, internal and external.  I have a vpn
> server in the middle on a routeable internet IP address.  The remote vpn
> server is a rh9 linux box.  When I make the local one a rh9 box,
everything
> is great, however when the local one is an openbsd box, I get the
following
> error in my firewall logs on my internal firewall.  Does anyone know what
it
> means.
>
> Note: E.F.G.33 is a routeable internet IP address
>
> Oct 15 14:53:43 radium kernel: FORWARD REJECT IN=eth1 OUT=eth0
> SRC=E.F.G.33 DST=192.168.201.22 LEN=56 TOS=0x00 PREC=0x00 TTL=254
> ID=25774 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.201.22 DST=10.0.0.2
LEN=1500
> TOS=0x00 PREC=0x00 TTL=126 ID=18062 DF PROTO=TCP INCOMPLETE [8 bytes] ]
> MTU=1444

ICMP Type 3 Code 4 = Destination Unreachable, Fragmentation Needed and
Don't Fragment was Set.

lower the MTU (or MSS) of your IPSec traffic.  you can do this with the
"-j TCPMSS --set-mss X" target in iptables.

mathematically speaking, the maximum value of X in these situations
would be 1440, derived as:

1500 (MTU of ethernet) - 20 (bytes in IPSec header) = 1480

MSS is defined as MTU - 40; or 1480 - 40 = 1440.

-j

-- 
Jason Opperisano <opie@xxxxxxxxxxx>



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux