[KLUG Members] IPSEC VPN Problem
Bruce Smith
bruce at armintl.com
Fri Mar 4 10:09:11 EST 2005
> > > > > OpenVPN, it works, its secure, and configuration is sane.
> > > > Yes, OpenVPN is very nice, and speaking of which ...
> > > > There seems to be a bug in the latest version.
> > > What version specifically, you mean the VERY latest?
> > The latest _stable_ version, 1.6.0.
>
> Yep, you're more current that me. I'll have to upgrade and see what happens.
> :)
>
> > > > Things quite often get stuck in the buffer. By that I mean:
> > > > I type a command like "ls -l". It displays the directory list
> > > > but stops a few lines before the end and hangs. I press SPACE
> > > > about three times and it finishes listing the directory and
> > > > gives me the command prompt (followed by my three SPACES).
> > > Are you using a TCP or UDP connection? I've seen than on OpenVPN over TCP
> > > before.
> > I let it default (UDP).
>
> Yep.
>
> > > > It's an intermittent problem, but happens fairly frequently.
> > > > This never used to happen, so I suspect it's a problem in a
> > > > newer version of OpenVPN from some upgrade.
> > > > Has anyone else seen this,
> > > Yes
> > > > or better yet, does anyone know how to "fix" it?
> > > No.
> > Bummer. :-(
> > Maybe the next time I feel masochistic, I'll try OpenSWAN... :-O
>
> I think I'd rather create a sendmail.cf by hand!
OK, after becoming sufficiently annoyed by the hangs in the VPN, I
started looking at the OpenSWAN documentation on how to create a simple
net-to-net VPN.
And after becoming sufficiently annoyed with the OpenSWAN documentation
and one thing that didn't seem to work the way I thought it should, I
switched my focus back to fixing OpenVPN. :-)
It turns out fixing OpenVPN is fairly simple. A little google'ing
around with the URL limited to openvpn.net in google, turned up a fix in
just a couple minutes. The fix is explained in the OpenVPN man page,
and in the FAQ.
To quote the man page: "MTU problems often manifest themselves as
connections which hang during periods of active usage. It's best to use
the --fragment and/or --mssfix options to deal with MTU sizing issues."
So I added both a fragment and mssfix line in my openvpn.conf file, with
values slightly lower than the default MTU, and the problem _appears_ to
be fixed now, although I may have to lower the fragment/mssfix values
slightly more if I run into any more problems. To quote the FAQ:
"Common values to try for mssfix/fragment: 1200, 1300, or 1400."
I'm trying 1400, but may need to lower to 1300 or 1200. Time will tell!
- BS
More information about the Members
mailing list