[strongSwan] RDP over VPN tunnel

Andreas Muerdter am at tbits.net
Tue Aug 17 12:58:01 CEST 2010

Hi List,

I know the problem. The packets from RDP are to big and needs to frag.
The Kernel 2.6 send the icmp packet "need to frag" to the client, but with the external IP address of the VPN Server.
The packet is not send over the VPN tunnel it is send plain over the external interface.
That means that this packet is not received by the client.

In my case I have a net2net VPN <=> over a third VPN Server with the external IP and this IP is used for the ICMP packet.

11:59:10.227180 > icmp: unreachable - need to frag (mtu 1446) [tos 0xc0]

Do any know this problem and have a solution?


Hi list,

I have two VPN tunnels with 3 Server

|HostA| --- |HostB|---|HostC|

HostA and HostC
 is running with strongswan 2.8.11 and Host B is running with strongswan 4.4.1. ICMP between all nets
 binhind the hosts A,B,C is OK. But when I try to connect via RDP from Net A (HostA) to Net C (HostC)
 over HostB, the RDP connection will not establish.
The same happens from NET C to NET A
 over Host B.
But I can connect from Net B to Net A and Net C via RDP without any problems.
It  seems that Host B do not forward all traffic  to the other nets with a
 higher package size.
It is not a iptables problem, it seem like mtu in the ipsec or
 someting else.

> ideas?


> mailing
> list

More information about the Users mailing list