[ previous ] [ next ] [ threads ]
 
 From:  "Quark IT - Hilton Travis" <hilton at quarkit dot com dot au>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] IPsec, fragmentation and MTU
 Date:  Fri, 27 Aug 2004 07:42:34 +1000
Hi Vincent,

> -----Original Message-----
> From: Vincent Fleuranceau [mailto:vincent at bikost dot com] 
> Sent: Tuesday, 24 August 2004 19:16
> 
> Hi all,
> 
> I may make some of you laugh, but just in case...
> 
> I've noticed fragmentation problems between Windows clients (2000 and
> XP) and servers (NT 4.0) through a m0n0wall <-> m0n0wall IPsec tunnel.
> 
> To fix this, I've allowed fragmented packets in the default 
> filter rule (thanks Justin for the tip), but I also had to 
> change the WAN interface MTU to 1472. This value was found 
> after experiments, of course.
> 
> Questions:
> 
> 1 - Shouldn't the MTU be automatically adjusted when IPsec is 
> in use, to take the IPsec headers and encapsulation overload 
> into account?
> 
> 2 - Shouldn't fragmentation be allowed by default, except for 
> extra paranoid situations?
> 
> Thanks in advance,
> 
> -- Vincent

I, too, have seen a similar thing and have posted in the "Users" list a
short while back.  Windows Small Business Server 2003 is reporting
overlength (fragmented?) DNS packets being sent to it by the m0n0wall
box.  I have no IPSEC tunnels in operation (although I do have some
defined).

I don't think that the *entire* MTU should be adjusted down when IPSEC
is configured as much of the outbound traffic is not going to be
packaged in an IPSEC header, but I do agree that the IPSEC traffic
should be adjusted.

The information I posted in the "Users" list has the subject of "DNS
information/error in event log" and the original post was dated
2004-08-24.

--

Regards,

Hilton Travis                          Phone: +61 (0)7 3343 3889
(Brisbane, Australia)                  Phone: +61 (0)419 792 394
Manager, Quark IT                      http://www.quarkit.com.au
         Quark AudioVisual             http://www.quarkav.net

http://www.threatcode.com/ <-- its now time to shame poor coders 
into writing code that is acceptable for use on today's networks

War doesn't determine who is right.  War determines who is left.