[strongSwan] Strongswan as a VPN Hub with a single network adapter
Mirko Parthey
mirko.parthey at informatik.tu-chemnitz.de
Fri Aug 30 21:15:10 CEST 2013
On Fri, Aug 30, 2013 at 01:26:42PM +0100, Kevin Palmer wrote:
> However, it all looked great until I tried to actually communicate between
> spokes.. I seem to be able to do pings and make connections to ports but when I
> try to put some traffic across the VPN I get problems. i.e. I can successfully
> telnet to ports but actually doing any meaningful communication seems to fail.
>
> My two spokes are Windows machines and I've tried creating an RDP connection
> between them which accepts the connection, asks for credentials, starts
> connecting and then hangs for a while. Finally it fails. It seems like the
> initial connection can be made but very soon after the connection hangs.
>
> Doing DNS lookups between spokes on the VPN however works fine (I think because
> they are brief)
>
> I can connect to an FTP server and do a directory listing but as soon as I try
> and transfer a file it hangs and then fails.
>
> Any ideas what can cause this connection hanging?
This looks like a problem with path MTU discovery.
When this mechanism is working properly, you can see some ICMP
messages of the type "destination unreachable, fragmentation needed"
being transferred from the gateway to a client, and the client reacts by
sending smaller TCP segments. You can check this with a packet sniffer
on your gateway.
When path MTU discovery fails, the reason is often a misconfigured
packet filter on a router or on the final host, blocking ICMP partially
or completly.
Regards,
Mirko
More information about the Users
mailing list