[ previous ] [ next ] [ threads ]
 
 From:  Vincent Fleuranceau <vincent at bikost dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  IPsec, fragmentation and MTU
 Date:  Tue, 24 Aug 2004 11:15:32 +0200
Hi all,

I may make some of you laugh, but just in case...

I've noticed fragmentation problems between Windows clients (2000 and 
XP) and servers (NT 4.0) through a m0n0wall <-> m0n0wall IPsec tunnel.

To fix this, I've allowed fragmented packets in the default filter rule 
(thanks Justin for the tip), but I also had to change the WAN interface 
MTU to 1472. This value was found after experiments, of course.

Questions:

1 - Shouldn't the MTU be automatically adjusted when IPsec is in use, to 
take the IPsec headers and encapsulation overload into account?

2 - Shouldn't fragmentation be allowed by default, except for extra 
paranoid situations?

Thanks in advance,

-- Vincent