|
||||||||
After switching pair of firewalls to m0n0wall <> m0n0wall I am experiencing fragmented ESP packets that did not occur on Linux <> Linux. This is a problem for me because somewhere along the path the extra packet of the fragmented ESP packets are dropped(out of my control). In Linux and freeswan there was an IPSEC interface that by default in RedHat/Fedora was brought up with a lowered MTU to keep ESP from fragmenting. There was no need to force MTU or MSS of other interfaces(wan, etc). This kept the IPSEC ESP packets from fragmenting because all connections through the IPSEC tunnel and only connections going through the IPSEC tunnel were affected by the lowered MTU. Is there a way to do this with m0n0wall? Running ifconfig did not show an ipsec interface to set the MTU on so I assume freebsd does things much differently? I am aware that I should be able to set all the systems local IP stacks behind the firewalls to a lowered MTU but that is not going to be an option for me because of the control issue and not to mention the headaches of making sure all new systems have that setting. If there is no way to do what I need with m0n0wall is this a limitation of freebsd or just m0n0wall's implementation of ipsec on freebsd? *A big thanks to http://www.xs4all.nl/~fredmol/m0n0/ for the ssh/tcpdump enabled m0n0wall images. I would have never been able to figure this out without looking at the network traffic. I hope that m0n0wall supports tcpdump in some form in the future because troubleshooting without looking at the raw network traffic can be very difficult and almost impossible at times. |