[Swan] libreswan tunnel causing ICMP redirects to go wrong way

Paul Wouters paul at nohats.ca
Sun Jan 18 01:05:25 EET 2015

On Wed, 14 Jan 2015, Eric Paris wrote:

> I tried setting the mtu on the internal nic of the router to 1422. I
> figured that would force everyone on the LAN to back off. But I can
> still ping the router from the lan with packets bigger that 1422!

I assume those packets fragmented and got reassembled? The problem with
IPsec and fragmentation is when the packet got encrypted too big, the
intermediate routers cannot do anything. It can send an ICMP message
but that can't be trusted and it won't make it back to the client.

> I know that the mss-to-pmtu type suggestions in iptables rules won't
> help, because this is ICMP, not TCP. This is only about pmtu being
> busted. I think because ICMP packets are going the wrong way. If I
> capture packets on the server, on the other side of the internet, I see
> the ICMP unreachable with mss=1422 packets with
>  source: router external interface
>  destination: my client on the lan who isn't getting his packets

Did you disable send_redirects in sysctl.conf? The linux kernel gets
very confused about this. It determines redirects based on incoming
and outgoing interface without knowing that a packet got encrypted or
decrypted. (I disabled these on your remote server but perhaps you
didn't do that on your local end?)

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Do a reboot for the default to take effect on all interfaces or run
a for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/send_redirects

Regardless, PMTU can't really be relied on with IPsec. You have to try
and prevent it. Hence the iptables clamping suggestions in our FAQ for

> So why are ICMP packets created on the router not going out the LAN
> interface and instead going out the tunnel to the server?  How do I fix
> it? What do I have set up wrong?

> # cat /etc/ipsec.d/eparis-vpn.conf
> conn tv
>    authby=secret
>    pfs=no
>    auto=add
>    rekey=no
>    left=
>    leftsubnet=
>    right=%any
>    rightsubnet=vhost:%priv,%no

using with netkey/xfrm is dangerous. It actually steals local

> # cat /etc/ipsec.d/eparis-vpn.conf
> conn tv
>    authby=secret
>    pfs=no
>    auto=up
>    rekey=no
>    left=
>    leftsubnet=
>    right=%defaultroute
>    ike-frag=yes

So once the tunnel is up EVERYTHING including LAN traffic is send over
the tunnel. Which would include local lan ICMP messages. Prob not what you wanted?

You need to add a passthrough connection, see:


in your case something like this on your home router:

conn netkey-exclude
 	# your internal ip on the router


More information about the Swan mailing list