MTU issues with Openswan tunnel

I have several ipsec tunnels to various clients and recently
added a new one for a new client.  With this new client's
VPN connection, nothing (ie FTP, terminal sevices, etc)
seems to work well unless I manually set the MTU value for
Openswan to 1400.  However setting the MTU to 1400 screws up
my other ipsec tunnels.  Is there a way to set the MTU value
for just one tunnel?

The symptoms are very strange.  If I leave the MTU value at
the default, I can get one or two terminal sessions via the
new tunnel but any additional attempts time out.  If I
change it to 1400 the new tunnel works great but my other
established tunnels only allow one or two connections.  I
have tried values between 1400 and 1500 but have been unable
to find any middle ground that works well.

Thanks for your help.

Nathan
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

On Thu, 30 Nov 2006, Jett, Nathan wrote:

> I have several ipsec tunnels to various clients and
recently added a new one for a new client.  With this new
client's VPN connection, nothing (ie FTP, terminal sevices,
etc) seems to work well unless I manually set the MTU value
for Openswan to 1400.  However setting the MTU to 1400
screws up my other ipsec tunnels.  Is there a way to set the
MTU value for just one tunnel?

Yes, using Advanced Routing. Something like:

ip route change rightsubnet/mask dev xxx mtu 1400

I'd like to see an mtu= option for a per-tunnel setting that
does exactly
this. Perhaps something Tuomo would like to work on? 

Paul
-- 
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

Thanks Paul,

This worked perfectly.  You are right, this would be a very
useful feature in the 
config file.

Thanks again,
Nathan

-----Original Message-----
From: Paul Wouters [mailto:paulxelerance.com]
Sent: Thursday, November 30, 2006 2:32 PM
To: Jett, Nathan
Cc: usersopenswan.org; devopenswan.org
Subject: Re: [Openswan Users] MTU issues with Openswan
tunnel


On Thu, 30 Nov 2006, Jett, Nathan wrote:

> I have several ipsec tunnels to various clients and
recently added a new one for a new client.  With this new
client's VPN connection, nothing (ie FTP, terminal sevices,
etc) seems to work well unless I manually set the MTU value
for Openswan to 1400.  However setting the MTU to 1400
screws up my other ipsec tunnels.  Is there a way to set the
MTU value for just one tunnel?

Yes, using Advanced Routing. Something like:

ip route change rightsubnet/mask dev xxx mtu 1400

I'd like to see an mtu= option for a per-tunnel setting that
does exactly
this. Perhaps something Tuomo would like to work on? 

Paul
-- 
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155