[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Force NAT-T?
 Date:  Sat, 16 Feb 2008 20:48:57 -0000
Hello,

When I was setting up vm machines to test a NAT-T problem it took me a while 
to realise that this mode is only used if a NAT device is detected, else ESP 
is used instead.

Should the setting for NAT-T in m0n0wall enable the 'nat_traversal force' in 
racoon.conf? That way, those people who don't use NAT, but can't pass ESP, 
can make use of NAT-T?

Kris.

----- Original Message ----- 
From: "Kristian Shaw" <monowall at wealdclose dot co dot uk>
To: <m0n0wall at lists dot m0n0 dot ch>

Sent: Saturday, February 16, 2008 8:16 PM
Subject: Re: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?


> Hello,
>
> I did some testing and I was able to replicate the problem with packets 
> being dropped in IPSEC NAT-T mode.
>
> If filter.inc is modified to allow fragmented packets on port 4500 
> (automatic rule that is created when IPSEC is enabled) then everything 
> appears to work OK.
>
> # Pass NAT-T encapsulated ESP packets
> pass in quick on {$ifname} proto udp from any to {$ip} port = 4500 keep 
> frags
> pass out quick on {$ifname} proto udp from {$ip} port = 4500 to any keep 
> frags
>
> Regards,
>
> Kris.
>
> ----- Original Message ----- 
> From: "JR" <tiresias at gmail dot com>
> To: "Michael Stecher" <Michael dot Stecher at cib dot de>; <m0n0wall at lists dot m0n0 dot ch>
> Sent: Saturday, February 16, 2008 5:44 PM
> Subject: Re: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?
>
>
>> On Feb 13, 2008 3:51 AM, Michael Stecher <Michael dot Stecher at cib dot de> wrote:
>>> Hello,
>>>
>>> we've got a running IPSec tunnel betwenn two locations. Now we've got 
>>> the problem that some packets get lost. We've changed the mtu on a 
>>> client PC to 1400 an anything works fine.
>>>
>>> Now my question: Is it possible to change the mtu-site (or the 
>>> mss-value) of the tunnel?
>>>
>>> More datailed information ist described here: 
>>> http://forum.m0n0.ch/index.php/topic,1630.0.html
>>
>> I had the same MTU problem with an IPSEC tunnel a few years ago. Both
>> were are cable and I checked with the ISP but they told me they saw no
>> problems. I ended up setting up tunnels from both sites (I'll call
>> them A and B) to a third location known to be working with IPSEC VPN
>> to track down the problem. From site A to the third site, the tunnel
>> worked perfectly at any packet size. From site B to the third site I
>> saw the same MTU problem with large packets lost on the VPN.  I went
>> back to the ISP with this information and they found out that the
>> cable modem at site B had known problems with IPSEC. They replaced it
>> with the same model that we had at site A (Cisco UBR900) and then the
>> MTU problem went away and the tunnel worked great.
>>
>> Maybe this is relevant to your problem, maybe not, but I did see you
>> mentioned some type of modem at your remote site. Creating tunnels to
>> a third site might be a useful test and if it turns up similar results
>> you might check that modem or swap it out.
>>
>> JR
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>