[ previous ] [ next ] [ threads ]
 
 From:  "Gregory Abbott" <blondguyg at seezar dot com>
 To:  "Peter Allgeyer" <allgeyer at web dot de>
 Cc:  "Gregory Abbott" <blondguyg at seezar dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] VPN client trouble behind m0n0wall
 Date:  Fri, 25 Nov 2005 20:35:58 -0500 (EST)
On Fri, November 25, 2005 5:02 am, Peter Allgeyer wrote:
> Hi Gregory!
>
> Am Donnerstag, den 24.11.2005, 19:32 -0500 schrieb Gregory Abbott:
>> Here is a raw log from the m0n0wall, looks like its only showing denied
>> packets, I must be missing the setting to log all accepted packets?):
> Try setting up a rule like this one at the top of your ruleset:
>
> Interface SRC IP      DST IP          Protocoll SRC Port  DST Port
> LAN       10.5.27.23  66.133.170.14   any       any       any
>
> Set "Allow fragmented packets" and "Log packets that are handled by this
> rule" to true and give us a new output of the raw filter log (including
> the initial SYN packet).
>
> It seems that the people on the concentrator side are blocking ICMP
> message type 3 (Unreachable) code 4 (Fragmentation--DF--Set). Really a
> bad idea when it comes to VPNs.
>
> BR,
>   PIT
>


Thanks so much! Putting in that rule on the LAN interface did the trick.

I'll notify the group about what the concentrator seems to be blocking now
so they can look into it.