> -----Original Message-----
> From: Vincent Fleuranceau [mailto:vincent at bikost dot com]
> Sent: Tuesday, 24 August 2004 19:16
> Hi all,
> I may make some of you laugh, but just in case...
> I've noticed fragmentation problems between Windows clients (2000 and
> XP) and servers (NT 4.0) through a m0n0wall <-> m0n0wall IPsec tunnel.
> To fix this, I've allowed fragmented packets in the default
> filter rule (thanks Justin for the tip), but I also had to
> change the WAN interface MTU to 1472. This value was found
> after experiments, of course.
> 1 - Shouldn't the MTU be automatically adjusted when IPsec is
> in use, to take the IPsec headers and encapsulation overload
> into account?
> 2 - Shouldn't fragmentation be allowed by default, except for
> extra paranoid situations?
> Thanks in advance,
> -- Vincent
I, too, have seen a similar thing and have posted in the "Users" list a
short while back. Windows Small Business Server 2003 is reporting
overlength (fragmented?) DNS packets being sent to it by the m0n0wall
box. I have no IPSEC tunnels in operation (although I do have some
I don't think that the *entire* MTU should be adjusted down when IPSEC
is configured as much of the outbound traffic is not going to be
packaged in an IPSEC header, but I do agree that the IPSEC traffic
should be adjusted.
The information I posted in the "Users" list has the subject of "DNS
information/error in event log" and the original post was dated
Hilton Travis Phone: +61 (0)7 3343 3889
(Brisbane, Australia) Phone: +61 (0)419 792 394
Manager, Quark IT http://www.quarkit.com.au
Quark AudioVisual http://www.quarkav.net
http://www.threatcode.com/ <-- its now time to shame poor coders
into writing code that is acceptable for use on today's networks
War doesn't determine who is right. War determines who is left.