[strongSwan] RDP over VPN tunnel

Andreas Muerdter am at tbits.net
Fri Aug 20 17:38:01 CEST 2010


Hi Tommi,

thanks for your help, tcp-mss "solve" the problem..
But is that the only solution to solve mtu problems with the ipsec from kernel 2.6?

Regards
Andreas

Tommi Kyntola schrieb am 17.08.2010 um 13:55 Uhr

>
Hi,
we have had numerous problems with icmp type 3, code 4 (i.e. frag needed)
> packets
getting blocked by misconfigured third-party firewalls. The only
> viable
choice for us to avoid tcp-blackholes in those cases was to make sure the
> packets
fit the MTUs along the path to begin with. Because in our case it was all
> tcp
traffic inside the tunnels it was sufficient to use the mangle table and
> TCPMSS
clamping  (e.g. --set-mss 1300).

Naturally that has an impact
> on tcp throughput, but for us that was not an issue..

Hope that
> helps.

cheers,
Tommi Kyntola

On 08/17/10 13:58,
> Andreas Muerdter wrote:
> Hi List,
>
> I know the
> problem. The packets from RDP are to big and needs to frag.
> The Kernel 2.6 send
> the icmp packet "need to frag" to the client, but with the external IP address of
> the VPN Server.
> The packet is not send over the VPN tunnel it is send plain over
> the external interface.
> That means that this packet is not received by the
> client.
>
> In my case I have a net2net VPN
> 10.1.0.0/16<=>  10.3.0.0/16 over a third VPN Server with the external IP 192.168.100.2
> and this IP is used for the ICMP packet.
>
> 11:59:10.227180
> 192.168.100.2>  10.1.1.101: icmp: 10.3.10.10 unreachable - need to frag (mtu 1446) [tos
> 0xc0]
>
> Do any know this problem and have a
> solution?
>
> Regards
>
> Andreas
>
> Hi list,
>
> I have
> two VPN tunnels with 3 Server
>   (net2net).
>
>
> |HostA| --- |HostB|---|HostC|
>
> HostA and
> HostC
>   is running with strongswan 2.8.11 and Host B is running with strongswan
> 4.4.1. ICMP between all nets
>   binhind the hosts A,B,C is OK. But when I try to
> connect via RDP from Net A (HostA) to Net C (HostC)
>   over HostB, the RDP
> connection will not establish.
> The same happens from NET C to NET
> A
>   over Host B.
> But I can connect from Net B to Net A and Net
> C via RDP without any problems.
> It  seems that Host B do not forward all traffic
> to the other nets with a
>   higher package size.
> It is not a
> iptables problem, it seem like mtu in the ipsec or
>   someting
> else.
>
> any
>>
> ideas?
>
> Regards
>
> Andreas
>
>
>
>
>
> _______________________________________________
> Users
>>
> mailing
>>
> list
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing
> list
> Users at lists.strongswan.org
>
> https://lists.strongswan.org/mailman/listinfo/users













More information about the Users mailing list