# openswan & mtu problem [SOLVED]

## sickalien

i'm having some problems with openswan tunnel... 

it establishes alright, but it's a bit unreliable when using it.

i discovered that the problem is the mtu setting of an interface is too small

it is automatically assigned by ISP via dhcp

i corrected it with ipconfig and everything works fine

what i want to know if is it possible to "override" that mtu dhcp setting so that everytime the box gets its ip, it get automatically the mtu size i need.

( i read something about dhclient.conf but no luck )

thanks!

----------

## Dagger

It's been a while since I played with Openswan. I presume that problem is rather than MTU is to big rather than too small. Usually when ipsec adds it's stack to IP header it reduces MTU from 1500 to ~1350

The easiest way (in my opinion) is to clapm mss to pmtu on netfilter (that way you will change MTU just for openswan packets and not for entire interface)

something like

```

iptables -t mangle -A POSTROUTING -o $OUTGOING_INTERFACE -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

```

alternatively you might need to specify MTU by hand (only had this problem with cisco VPN client)

```

iptables -t mangle -A POSTROUTING -o $OUTGOING_INTERFACE -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300

```

replace $OUTGOING_INTERFACE with eth0 eth1 or whatever your outgoing interface is.

should do the trick for you.

----------

## sickalien

neat!

i'll try that

the mtu size is really small. the isp configures it at 576. i put it to 1500 and works fine... really weird.

thanks!!

----------

## Dagger

some old routers used to set MTU up to (so called internet standard at the time) 576. You can specify in /etc/conf.d/net default MTU size, but just like I said before openswan (by adding ipsec stack) should decrease it to ~1350 (unless they've sorted MTU out in openswan). Last time I was using it like 3 years ago so I might be wrong here. The best way to check it is to transfer big file over FTP or SFTP. If MTU is wrong it will stop in some point.

----------

## sickalien

the iptables commands above didn't work

only setting the mtu size manually with ifconfig   :Crying or Very sad: 

----------

## Dagger

the iptables comand does _not_ change MTU for interface

to see if it works you need to type:

iptables -t mangle -L -n

----------

## sickalien

what i mean is, 

i typed the iptables rule above without altering the mtu size manually and the connection problem is not solved.

the default mtu size in /etc/conf.d/net applies to dynamic configured interfaces?

----------

## Dagger

you should add

```

mtu_eth0="1500" # <- I assume eth0 is your internet interface

```

to your /etc/conf.d/net

restart interface 

```
/etc/init.d/net.eth0 restart
```

check if default MTU is 1500 (standard value for ethernet)

check if iptables rules is in place 

```
iptables -t mangle -L -n
```

use 

```
/etc/init.d/iptables save 
```

to save the config

make sure iptables starts by default 

```
rc-update add iptables default
```

everything _should_ (it doesn't mean it will :p ) be fine from this point

----------

## sickalien

the mtu setting in /etc/conf.d/net did the trick.

it sets the mtu after dhcp process

thanks Dagger for the help!

----------

## UberLord

Bitch to your ISP about crappy MTU settings then  :Smile: 

Another (and probably better) solution is to get dhcpcd to ignore MTU by using it -M option in conf.d/net

```
dhcpcd_eth0="-M"
```

----------

