From: Matthew Hattersley <matthew.hattersley@va...> - 2006-05-17 08:20:05
iptables --new-chain clamp
iptables --insert clamp -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
iptables --insert OUTPUT -p tcp --tcp-flags SYN,RST SYN -j clamp
iptables --insert FORWARD -o <ext interface> -p tcp --tcp-flags SYN,RST
SYN -j clamp
This may do the trick for you.
[mailto:devil-linux-discuss-admin@...] On Behalf Of
Sent: 16 May 2006 13:45
Subject: Re: [BULK] Re: [Devil-Linux-discuss] IPSec Problem, extremely
> Did you try your luck with the Openswan folks? We just use their stock
> patch without any modifications.
I DID try with them, and below is what Paul Wouters said.
I didn't try anything yet, but on discussing it over with the remote
appears that the crashing servers are all win2k3 without SP1. Those with
don't crash. Unfortunately most of these servers belong to Citrix farms,
there seems to be some issue upgrading them to SP1. For the moment we're
to the old version (firewall/*swan), but probably not for too long.
Anyway, it's hard to believe we're in the third millennium, and people
expensive operating system software that can be crashed just by sending
a single (totally valid) IP packet :-P
Thanks a lot
> I have an extremely weird problem with IPsec tunnels in Devil-Linux:
> I have two sites that are linked LAN-2-LAN by an IPSec tunnel that
> dedicated Linux firewalls.
> I have upgraded the two firewalls from gibraltar
> to Devil-Linux-1.2.9 (Gibraltar had Freeswan 2.0.4, DL has Openswan
> When I try to establish a TCP connection to any windows server (2k,
> server restarts immediately (bluescreen, complaining about TCPIP.SYS
> and reboots).
wow. that's pretty bad. Are those machines running with all service
> The crashing can be triggered either by normal windows clients trying
> connect to the server, or by a linux client that does 'telnet x.y.z.t
> the server.
Obviously, those servers are in need of fixing, but perhaps as a work
you can set the mtu on both openswan servers to 1440 or 1400? My guess
it would be related to mtu/packetsize/df-bit issues.
Using Tomcat but need to do more? Need to support web services,
Get stuff done quickly with pre-integrated technology to make your job
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Devil-linux-discuss mailing list