[plug] IPsec and MTU

Adrian Woodley Adrian at Diskworld.com.au
Wed Nov 24 12:24:19 WST 2004


G'Day Pluggers,
       This is doing my head in! I have two networks, 192.168.1.0/24 in 
Midland and 192.168.2.0/24 in Ellenbrook. They've both got SDSL, 512k, 
through arachnet. While both are using PPPoA (to avoid MTU issues), 
Ellenbrook's modem (Dynalink RTA230) is capping the MTU to 1492.
       Linking the two networks is an IPsec VPN, using racoon and in 2.6 
kernel ipsec modules. The link works fine except for transfering large 
amounts of data.
         The problem is that there is a different MTU on each connection-

Midland->internet: 1500
Midland->IPsec: 1444

Ellenbrook->internet:1492
Ellenbrook->IPsec: 1436

       This shouldn't be a problem is PMTU-D is working correctly. 
However, packets leaving the gateway machines aren't making it onto the 
VPN as their souce address is their live IP (ie 203.blaa.blaa.blaa), 
rather than their LAN address.

Demonstration:-
Minus-Tirith:~# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.

--- 192.168.2.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

Minus-Tirith:~# ping -I 192.168.1.1 192.168.2.1
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=30.7 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=45.5 ms

--- 192.168.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 30.712/38.135/45.559/7.426 ms

The problem is that the ICMP "Cant' Fragment" packets are not making it 
back from the remote gateway machine as they aren't being sent over the VPN.

I can't SNAT the gateway's address as SNAT applies to POSTROUTING, ie 
after the packet should be on the VPN.

Any ideas on how I can get the ICMP packets to be sent from the LAN 
address and be transmitted over the VPN?

Cheers,
Adrian Woodley



More information about the plug mailing list