[KLUG Members] IPSEC VPN Problem

Bruce Smith bruce at armintl.com
Fri Mar 4 10:09:11 EST 2005

Previous message: [KLUG Members] Meeting 2005-03-08 - J
Next message: [KLUG Members] IPSEC VPN Problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > > > > OpenVPN,  it works, its secure, and configuration is sane.
> > > > Yes, OpenVPN is very nice, and speaking of which ...
> > > > There seems to be a bug in the latest version.
> > > What version specifically, you mean the VERY latest?
> > The latest _stable_ version, 1.6.0.
> 
> Yep, you're more current that me.  I'll have to upgrade and see what happens.
> :)
> 
> > > > Things quite often get stuck in the buffer.  By that I mean:
> > > > I type a command like "ls -l".  It displays the directory list
> > > > but stops a few lines before the end and hangs.  I press SPACE
> > > > about three times and it finishes listing the directory and 
> > > > gives me the command prompt (followed by my three SPACES).
> > > Are you using a TCP or UDP connection?  I've seen than on OpenVPN over TCP
> > > before.
> > I let it default (UDP).
> 
> Yep.
> 
> > > > It's an intermittent problem, but happens fairly frequently.
> > > > This never used to happen, so I suspect it's a problem in a 
> > > > newer version of OpenVPN from some upgrade.
> > > > Has anyone else seen this, 
> > > Yes
> > > > or better yet, does anyone know how to "fix" it?  
> > > No.
> > Bummer.  :-(
> > Maybe the next time I feel masochistic, I'll try OpenSWAN...  :-O
>
> I think I'd rather create a sendmail.cf by hand!

OK, after becoming sufficiently annoyed by the hangs in the VPN, I
started looking at the OpenSWAN documentation on how to create a simple
net-to-net VPN.

And after becoming sufficiently annoyed with the OpenSWAN documentation
and one thing that didn't seem to work the way I thought it should, I
switched my focus back to fixing OpenVPN.   :-)

It turns out fixing OpenVPN is fairly simple.  A little google'ing
around with the URL limited to openvpn.net in google, turned up a fix in
just a couple minutes.  The fix is explained in the OpenVPN man page,
and in the FAQ.

To quote the man page:  "MTU problems often manifest themselves as
connections which hang during periods of active usage.  It's best to use
the --fragment and/or --mssfix options to deal with MTU sizing issues."

So I added both a fragment and mssfix line in my openvpn.conf file, with
values slightly lower than the default MTU, and the problem _appears_ to
be fixed now, although I may have to lower the fragment/mssfix values
slightly more if I run into any more problems.  To quote the FAQ:
"Common values to try for mssfix/fragment: 1200, 1300, or 1400."
I'm trying 1400, but may need to lower to 1300 or 1200.  Time will tell!

 - BS

Previous message: [KLUG Members] Meeting 2005-03-08 - J
Next message: [KLUG Members] IPSEC VPN Problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list