[ previous ] [ next ] [ threads ]
 
 From:  George Bourozikas <george at bourozikas dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Ping Size Windows GPO
 Date:  Fri, 1 Jul 2005 14:01:06 -0400
On Friday 01 July 2005 13:34, Mat Murdock wrote:
> George Bourozikas wrote:
> >On Friday 01 July 2005 12:29, edward mzj wrote:
> >>try to allow fragmented icmp echo-request and echo reply packets. i'm not
> >>sure
> >>
> >>On 7/2/05, Mat Murdock <mmurdock underscore lists at kimballequipment dot com> wrote:
> >>>I was wondering if there was a way to increase the allowed ping size
> >>>over a m0n0 to m0n0 ipsec vpn. The reason is as follows:
> >>>
> >>>   When running a M$ based network with a central location and numerous
> >>>   satellite locations, you may encounter a rather nasty problem.
> >
> >No this does not work.  The only way I have found to get IPsec VPN's to
> > work with m0n0 is by decreasing the MTU until there are no fragmented
> > packets, at least in the next hop (in my case ADSL).
> >
> >--george
>
> I think this is a IPsec setting that allows large ping packets.
>
> Mat

It is, but it did not work for me with v1.11, 1.12b3 and 1.2b7.  After 
numerous attempts to get info from the list I had an off-list discussion with 
Jason Ellingson who pointed me in the MTU direction:

On Thursday 31 March 2005 18:48, you wrote:
> Are you on DSL?
> ------------------------------------------------------------
> Jason J Ellingson

On Friday 01 April 2005 10:29, you wrote:
> I think that is the problem.  All mine are on Cable or DS-1/3.
>
> My guess is that the 1492 MTU used for DSL PPPoE on the WAN configuration
> page isn't being observed by packets entering the IPSec tunnel.
> ------------------------------------------------------------
> Jason J Ellingson

Unfortunately I was unable to set the MTU successfully on the m0n0 boxes (I 
guess packets enter the tunnel before the hit the interface) so I had to clip 
he MTU's on each server and client on both ends.  This degrades LAN 
performance slightly but it does improve Internet and IPsec performance - in 
the latter case it's a division by zero :-)

Let us know something like this works for you.

Good luck,
--george