After switching pair of firewalls to m0n0wall <> m0n0wall I am
experiencing fragmented ESP packets that did not occur on Linux <>
Linux. This is a problem for me because somewhere along the path the
extra packet of the fragmented ESP packets are dropped(out of my control).
In Linux and freeswan there was an IPSEC interface that by default in
RedHat/Fedora was brought up with a lowered MTU to keep ESP from
fragmenting. There was no need to force MTU or MSS of other
interfaces(wan, etc). This kept the IPSEC ESP packets from fragmenting
because all connections through the IPSEC tunnel and only connections
going through the IPSEC tunnel were affected by the lowered MTU.
Is there a way to do this with m0n0wall? Running ifconfig did not show
an ipsec interface to set the MTU on so I assume freebsd does things
much differently? I am aware that I should be able to set all the
systems local IP stacks behind the firewalls to a lowered MTU but that
is not going to be an option for me because of the control issue and not
to mention the headaches of making sure all new systems have that setting.
If there is no way to do what I need with m0n0wall is this a limitation
of freebsd or just m0n0wall's implementation of ipsec on freebsd?
*A big thanks to http://www.xs4all.nl/~fredmol/m0n0/ for the ssh/tcpdump
enabled m0n0wall images. I would have never been able to figure this
out without looking at the network traffic. I hope that m0n0wall
supports tcpdump in some form in the future because troubleshooting
without looking at the raw network traffic can be very difficult and
almost impossible at times.