2007-11-01 14:32:15

by Eran Ben-Avi

[permalink] [raw]
Subject: mtu/fragmentation problem with openswan 2.4.9


I encountered the following issue while working with openswan 2.4.9 on kernel
When I established ipsec tunnel connection between my reference board(ARM) running openswan Vs.
windowsXP and tried to send file via ftp(PUT) from the board to PC I got the following error loop:
klips_error:ipsec_xmit_send: ip_send() failed, err=90 .
It seems like the ipsec0 device receives 1514 bytes packet from the ip stack and after adding the ipsec header it sends 1536 bytes which cross mtu boundery(1500) and therefore receive this error status from ip_fragment.
I tested the same scenario with openswan 2.4.2 on kernel and after the first error it seems like the linux stack was able to recover (maybe by sending the ICMP from ip_fragment ???) .
I know I can prevent this problem by decreasing the ipsec0 mtu size to < ~1460b or to enable ip_no_pmtu_disc but it seems like bypassing the "real: problem.

Any suggestions ?

Eran Ben-Avi

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around