Hello,
> > This seems to be a icm error: 3, code 4. That
would be
> > (http:
//www.iana.org/assignments/icmp-parameters):
> > 3 Destination Unreachable
> > 4 Fragmentation Needed and Don't Fragment was
Set
>
> > My large ping test is not a good test it seems?
Ahy idea whu this
> > problems only triggers after about a week, and why
it's
> then for ALL
> > packets and not just large ones.
> I would say that routing between the two endpoints
changed.
> Eg your ISP went from peering to transit, or some
transit
> provider was unavailable or something.
I forgot one important piece of information. When I reboot
the firewall it
works OK again. Just a restart of the ipsec service is not
enough. If there
is a routing problem, shouldn't a restart of the ipsec
service not be
enough. Tunnel is rebuild and the packets follow the new
route? Since the
VPN is OK after a reboot, it seems there is no persistent
routing problem?
Just did some more testing, pinging from the Windows box on
the inside was
not a good test. I just did the same from the Linux box and
then my pings
failed just short of 1500. I now set overridemtu=1400. My
pings go thru now
independent of the ping size.
I have no idea if that would explain a weekly problem that
only goes away
with a reboot. But it's at least a good thing
>From another mail to the list I saw the ipsec verify
command. When I run
this I get:
-------------------------
Checking your system to see if IPsec got installed and
started correctly:
Version check and ipsec on-path
[OK]
Linux Openswan 2.CVSHEAD (klips)
Checking for IPsec support in kernel
[OK]
Checking for RSA private key (/etc/ipsec.secrets)
[OK]
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
Checking tun0x1004 66.119.179.10 from 192.168.70.0/24 to
172.16.7.13/32
[FAILED]
LOG from 192.168.70.0/24 to 0.0.0.0/0 kills tunnel
192.168.70.0/24 ->
172.16.7.13/32
[FAILED]
MASQUERADE from 192.168.70.0/24 to 0.0.0.0/0 kills tunnel
192.168.70.0/24 ->
172.16.7.13/32
Checking for 'ip' command
[OK]
Checking for 'iptables' command
[OK]
Opportunistic Encryption Support
[DISABLED]
-------------------------
In my firewall software I changed MASQ so that it only
masq's stuff going
out over eth0, not ipsec0. Error still there, I would expect
packets to
172.16.7.13 only to go thru the ipsec0 interface (inside the
tunnel).
What does the LOG kills tunnel mean exactly, LOG seems
innocent 
> Paul
> --
> Building and integrating Virtual Private Networks with
Openswan:
> http://www.amazon.com/gp/product/1904811256/104-30
99591-294632
> 7?n=283155
>
> !DSPAM:45e4837d42551804284693!
>
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
|
