|
|
Hello, all. We are seeing some bizarre behavior with our Windows OpenVPN clients. We are not seeing the same behavior in the Linux clients. Our setup is an OpenVPN gateway running openswan connecting to other offices via openswan. I am just now beginning to peruse the more obscure configuration settings and do some extensive testing but, if anyone knows the answer off the top of their head, it will save me many hours. Whenever the windows client accesses a station in one of the offices, i.e., across the openswan VPN, an entry for that station is added to the Windows routing table. Although that is surprising, it would not be too bad except that the MTU on the route is set to 576! The result is massive packet fragmentation. This happens without or without using the fragment directive. The routing entries are not made when using a Linux client. So, for example, when the windows client first connects, they can do: ping -f -l 1472 x.x.x.x After a moment, the route is added and the same command fails until the length is reduced to 548 or lower. We are using 2.1 beta8. The client config is: client dev tun proto udp remote x.x.x.x 1194 resolv-retry infinite nobind ca /etc/openvpn/certs/NiagaraCA.pem pkcs12 /etc/openvpn/certs/jsullivan.atlas.p12 ns-cert-type server tls-auth tlsauthniag 1 comp-lzo verb 3 #fragment 1435 #mssfix passtos The server config is: port 1194 proto udp dev tun0 key /etc/ipsec.d/private/niagararasgwk.pem cert /etc/ipsec.d/certs/niagararasgwc.pem ca /etc/ipsec.d/cacerts/NiagaraCA.pem crl-verify /etc/ipsec.d/crls/NiagaraCRL.pem dh /etc/openvpn/certs/dh5.pem server 172.20.100.0 255.255.255.128 topology subnet ifconfig-pool-persist ipp.txt client-connect /etc/openvpn/clientconn.script client-disconnect /etc/openvpn/clientdisconn.script push "redirect-gateway def1" push "dhcp-option DNS 10.4.1.77" push "dhcp-option DNS 10.1.1.22" push "dhcp-option DNS x.x.x.x" push "dhcp-option WINS 10.1.1.10" push "dhcp-option WINS 10.4.1.35" keepalive 10 120 tls-auth /etc/openvpn/tlsauthniag 0 # This file is secret comp-lzo persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 passtos management 127.0.0.1 1194 /etc/openvpn/mgmtfile The tricky thing with these kinds of problems is that everything actually works and no one would know the worse if we hadn't seen the fragmentation messages. Now that we know, we know we can make a dramatic improvement in performance if we can fix this. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-02/msg00061.html on line 260 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-02/msg00061.html on line 260 |