[ previous ] [ next ] [ threads ]
 From:  Adam Gibson <agibson at ptm dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  m0n0wall(freebsd) ipsec MTU vs Freeswan(Linux) ipsec MTU issues
 Date:  Wed, 02 Nov 2005 10:27:45 -0500
After switching pair of firewalls to m0n0wall <> m0n0wall I am 
experiencing fragmented ESP packets that did not occur on Linux <> 
Linux.  This is a problem for me because somewhere along the path the 
extra packet of the fragmented ESP packets are dropped(out of my control).

In Linux and freeswan there was an IPSEC interface that by default in 
RedHat/Fedora was brought up with a lowered MTU to keep ESP from 
fragmenting.  There was no need to force MTU or MSS of other 
interfaces(wan, etc).  This kept the IPSEC ESP packets from fragmenting 
because all connections through the IPSEC tunnel and only connections 
going through the IPSEC tunnel were affected by the lowered MTU.

Is there a way to do this with m0n0wall?  Running ifconfig did not show 
an ipsec interface to set the MTU on so I assume freebsd does things 
much differently?  I am aware that I should be able to set all the 
systems local IP stacks behind the firewalls to a lowered MTU but that 
is not going to be an option for me because of the control issue and not 
to mention the headaches of making sure all new systems have that setting.

If there is no way to do what I need with m0n0wall is this a limitation 
of freebsd or just m0n0wall's implementation of ipsec on freebsd?

*A big thanks to http://www.xs4all.nl/~fredmol/m0n0/ for the ssh/tcpdump 
enabled m0n0wall images.  I would have never been able to figure this 
out without looking at the network traffic.  I hope that m0n0wall 
supports tcpdump in some form in the future because troubleshooting 
without looking at the raw network traffic can be very difficult and 
almost impossible at times.