Hi all,

I may make some of you laugh, but just in case...

I've noticed fragmentation problems between Windows clients (2000 and 
XP) and servers (NT 4.0) through a m0n0wall <-> m0n0wall IPsec tunnel.

To fix this, I've allowed fragmented packets in the default filter rule 
(thanks Justin for the tip), but I also had to change the WAN interface 
MTU to 1472. This value was found after experiments, of course.

Questions:

1 - Shouldn't the MTU be automatically adjusted when IPsec is in use, to 
take the IPsec headers and encapsulation overload into account?

2 - Shouldn't fragmentation be allowed by default, except for extra 
paranoid situations?

Thanks in advance,

-- Vincent