[leaf-user] Kernel bug or problem with OpenVPN and NAT??

Wed, 02 Jun 2004 09:06:01 -0700 

Hello,

I am using Bering 1.1, in combination with OpenVPN
1.6. As you know, for OpenVPN tunnel, MTU size is
lower than standard 1500 bytes for ethernet, in my
case it is 1242. I have setup like this:

A - G1 ===== G2 - B

where A and B are hosts which communicate using Remote
Desktop (yes, crappy windows) on port 3389. Host A is
sending packets to G1:3389 and gateway G1 (bering
firewall) is translating G1:3389 to B:3389. This NAT
is configured using Shorewall. When small packets are
passing through, everything is ok. If packet with size
> 1242 hits the G1, it sends response to host A using
message "ICMP unreachable - need to fragment". Problem
is that tcpdump shows that this ICMP packets refer to
communication between A and B, instead A and G1! As
host A speaks with G1 and not with B, it simply
ignores this ICMP packets, and as result, I get only
black screen inside my Remote Desktop window. For me
this looks like bug in kernel which should undo the
translation and send ICMP message with correct
addresses, but I am not completely sure. Did anyone
expirience soemthing similiar, and is there any fix
for this? I have kernel 2.4.20 which came with Bering
1.1 distribution.
I tried to lower MTU on ethernet interface on the side
of host A to 1242, but it does not help. Although,
from 10 tries, I can have one or two sessions with
correct overwritting the address in the ICMP message
and then connection works, so it definitely looks like
bug for me.

Thanks for your opinion
Vladimir Ilic


        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to