[strongSwan] RDP over VPN tunnel
Tommi Kyntola
tommi.kyntola at ray.fi
Tue Aug 17 13:55:34 CEST 2010
Hi,
we have had numerous problems with icmp type 3, code 4 (i.e. frag needed) packets
getting blocked by misconfigured third-party firewalls. The only viable
choice for us to avoid tcp-blackholes in those cases was to make sure the packets
fit the MTUs along the path to begin with. Because in our case it was all tcp
traffic inside the tunnels it was sufficient to use the mangle table and TCPMSS
clamping (e.g. --set-mss 1300).
Naturally that has an impact on tcp throughput, but for us that was not an issue.
Hope that helps.
cheers,
Tommi Kyntola
On 08/17/10 13:58, Andreas Muerdter wrote:
> Hi List,
>
> I know the problem. The packets from RDP are to big and needs to frag.
> The Kernel 2.6 send the icmp packet "need to frag" to the client, but with the external IP address of the VPN Server.
> The packet is not send over the VPN tunnel it is send plain over the external interface.
> That means that this packet is not received by the client.
>
> In my case I have a net2net VPN 10.1.0.0/16<=> 10.3.0.0/16 over a third VPN Server with the external IP 192.168.100.2 and this IP is used for the ICMP packet.
>
> 11:59:10.227180 192.168.100.2> 10.1.1.101: icmp: 10.3.10.10 unreachable - need to frag (mtu 1446) [tos 0xc0]
>
> Do any know this problem and have a solution?
>
> Regards
> Andreas
>
> Hi list,
>
> I have two VPN tunnels with 3 Server
> (net2net).
>
> |HostA| --- |HostB|---|HostC|
>
> HostA and HostC
> is running with strongswan 2.8.11 and Host B is running with strongswan 4.4.1. ICMP between all nets
> binhind the hosts A,B,C is OK. But when I try to connect via RDP from Net A (HostA) to Net C (HostC)
> over HostB, the RDP connection will not establish.
> The same happens from NET C to NET A
> over Host B.
> But I can connect from Net B to Net A and Net C via RDP without any problems.
> It seems that Host B do not forward all traffic to the other nets with a
> higher package size.
> It is not a iptables problem, it seem like mtu in the ipsec or
> someting else.
>
> any
>> ideas?
>
> Regards
> Andreas
>
>
>
>
> _______________________________________________
> Users
>> mailing
>> list
>
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list