[strongSwan] RDP over VPN tunnel
am at tbits.net
Fri Aug 20 17:38:01 CEST 2010
thanks for your help, tcp-mss "solve" the problem..
But is that the only solution to solve mtu problems with the ipsec from kernel 2.6?
Tommi Kyntola schrieb am 17.08.2010 um 13:55 Uhr
we have had numerous problems with icmp type 3, code 4 (i.e. frag needed)
getting blocked by misconfigured third-party firewalls. The only
choice for us to avoid tcp-blackholes in those cases was to make sure the
fit the MTUs along the path to begin with. Because in our case it was all
traffic inside the tunnels it was sufficient to use the mangle table and
clamping (e.g. --set-mss 1300).
Naturally that has an impact
> on tcp throughput, but for us that was not an issue..
On 08/17/10 13:58,
> Andreas Muerdter wrote:
> Hi List,
> I know the
> problem. The packets from RDP are to big and needs to frag.
> The Kernel 2.6 send
> the icmp packet "need to frag" to the client, but with the external IP address of
> the VPN Server.
> The packet is not send over the VPN tunnel it is send plain over
> the external interface.
> That means that this packet is not received by the
> In my case I have a net2net VPN
> 10.1.0.0/16<=> 10.3.0.0/16 over a third VPN Server with the external IP 192.168.100.2
> and this IP is used for the ICMP packet.
> 192.168.100.2> 10.1.1.101: icmp: 10.3.10.10 unreachable - need to frag (mtu 1446) [tos
> Do any know this problem and have a
> Hi list,
> I have
> two VPN tunnels with 3 Server
> |HostA| --- |HostB|---|HostC|
> HostA and
> is running with strongswan 2.8.11 and Host B is running with strongswan
> 4.4.1. ICMP between all nets
> binhind the hosts A,B,C is OK. But when I try to
> connect via RDP from Net A (HostA) to Net C (HostC)
> over HostB, the RDP
> connection will not establish.
> The same happens from NET C to NET
> over Host B.
> But I can connect from Net B to Net A and Net
> C via RDP without any problems.
> It seems that Host B do not forward all traffic
> to the other nets with a
> higher package size.
> It is not a
> iptables problem, it seem like mtu in the ipsec or
> Users mailing
> Users at lists.strongswan.org
More information about the Users