Just re-reading your email and you mention rules for ESP and AH. These
aren't be necessary because m0n0wall will automaticaly add rules for those
protocols on each interface when you enable IPSEC.
The place to enable 'allow fragmented packets' is on the rule that allows
traffic out from the LAN.
----- Original Message -----
From: "Jeff Buehler" <jeff at buehlertech dot com>
To: "Kris Shaw" <monowall at wealdclose dot co dot uk>
Sent: Friday, February 10, 2006 4:23 PM
Subject: Re: [m0n0wall] outlook -> exchange problem
> Hi -
> Yep - I considered those possibilities as well. No upstream router that
> would be interfering. No other rule in the set that would (or should,
> anyway!) interfere. Just ESP and AH with no crossover (no Pass All or
> I may try rebooting the router (it rebooted after the upgrade, but perhaps
> another reboot won't hurt after all the messing about with it I have been
> doing). Is there a way to verify that the upgrade "took" - something I
> should look for in the status.php page that indicates the correct binary
> is actually in use?
> Thanks again,
> Kris Shaw wrote:
>> I am not sure why you are still having problems, at the moment I can only
>> think of two reasons:
>> 1. Some other rule is masking the rule that allows fragmented
>> 2. There is an upstream router that has a lower MTU (but that wouldn't
>> explain why the ping works one way but not the other).
>> AH = the packet comes from who it says it comes from
>> ESP = the contents of the packet are encrypted
>> ----- Original Message ----- From: "Jeff Buehler" <jeff at buehlertech dot com>
>> To: "Kris Shaw" <monowall at wealdclose dot co dot uk>
>> Cc: <m0n0wall at lists dot m0n0 dot ch>
>> Sent: Friday, February 10, 2006 3:45 PM
>> Subject: Re: [m0n0wall] outlook -> exchange problem
>>> Hi Kris -
>>> I am pinging the m0n0wall itself - I get the same behavior with devices
>>> behind the m0n0wall in each of the three given VPNs. After modifying
>>> ESP and AH protocols to allow fragmented packets, I have verified that
>>> keep frags is enabled in the status.php page.
>>> The behavior remains the same - one of the three m0n0walls still cannot
>>> successfully get a reply after pinging a fragmented packet to either of
>>> the other two, while the other two can ping it and each other with a
>>> fragmented packet successfully.
>>> By the way, thank you for this modification to m0n0wall - this (and the
>>> use of AH instead of ESP) seems to have solved my problem with Outlook
>>> keeping a solid connection with Exchange across the VPN. I am going to
>>> test ESP again tonight and see if it works with the new .iso image of
>>> m0n0wall. I'll keep looking into why one of the three does not seem to
>>> be working...
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch