[strongSwan] RDP over VPN tunnel

Tommi Kyntola tommi.kyntola at ray.fi
Wed Aug 25 06:48:11 CEST 2010


Hi,
it's not a problem with IPsec per se, atleast not in our case.
Because if the icmp packets are not blocked then things work just fine.
In our case we had thousands of road warriors behind various ISPs
and on-site firewalls that were out of our reach and fixing those firewalls
was not really an option. In your case it might be the same thing or
your configuration itself blocks those icmp packets.

Check with tcpdump that those icmp packets are generated properly (if possible)
and then make sure that they reach their destination. TCP will then lower it's
path mtu it'll work without the mss clamping.

cheers,
Tommi Kyntola

On 08/20/10 18:38, Andreas Muerdter wrote:
> Hi Tommi,
>
> thanks for your help, tcp-mss "solve" the problem.
> But is that the only solution to solve mtu problems with the ipsec from kernel 2.6?
>
> Regards
> Andreas
>
> Tommi Kyntola schrieb am 17.08.2010 um 13:55 Uhr
>
>>
> Hi,
> we have had numerous problems with icmp type 3, code 4 (i.e. frag needed)
>> packets
> getting blocked by misconfigured third-party firewalls. The only
>> viable
> choice for us to avoid tcp-blackholes in those cases was to make sure the
>> packets
> fit the MTUs along the path to begin with. Because in our case it was all
>> tcp
> traffic inside the tunnels it was sufficient to use the mangle table and
>> TCPMSS
> clamping  (e.g. --set-mss 1300).
>
> Naturally that has an impact
>> on tcp throughput, but for us that was not an issue.
>
> Hope that
>> helps.
>
> cheers,
> Tommi Kyntola
>
> On 08/17/10 13:58,
>> Andreas Muerdter wrote:
>> Hi List,
>>
>> I know the
>> problem. The packets from RDP are to big and needs to frag.
>> The Kernel 2.6 send
>> the icmp packet "need to frag" to the client, but with the external IP address of
>> the VPN Server.
>> The packet is not send over the VPN tunnel it is send plain over
>> the external interface.
>> That means that this packet is not received by the
>> client.
>>
>> In my case I have a net2net VPN
>> 10.1.0.0/16<=>   10.3.0.0/16 over a third VPN Server with the external IP 192.168.100.2
>> and this IP is used for the ICMP packet.
>>
>> 11:59:10.227180
>> 192.168.100.2>   10.1.1.101: icmp: 10.3.10.10 unreachable - need to frag (mtu 1446) [tos
>> 0xc0]
>>
>> Do any know this problem and have a
>> solution?
>>
>> Regards
>>
>> Andreas
>>
>> Hi list,
>>
>> I have
>> two VPN tunnels with 3 Server
>>    (net2net).
>>
>>
>> |HostA| --- |HostB|---|HostC|
>>
>> HostA and
>> HostC
>>    is running with strongswan 2.8.11 and Host B is running with strongswan
>> 4.4.1. ICMP between all nets
>>    binhind the hosts A,B,C is OK. But when I try to
>> connect via RDP from Net A (HostA) to Net C (HostC)
>>    over HostB, the RDP
>> connection will not establish.
>> The same happens from NET C to NET
>> A
>>    over Host B.
>> But I can connect from Net B to Net A and Net
>> C via RDP without any problems.
>> It  seems that Host B do not forward all traffic
>> to the other nets with a
>>    higher package size.
>> It is not a
>> iptables problem, it seem like mtu in the ipsec or
>>    someting
>> else.
>>
>> any
>>>
>> ideas?
>>
>> Regards
>>
>> Andreas
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users
>>>
>> mailing
>>>
>> list
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing
>> list
>> Users at lists.strongswan.org
>>
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
>
>
>
>




More information about the Users mailing list