Aha! I had a feeling something like that might be the case (everything
basically worked without the WAN rules, which was confusing me until
now). Thanks for the clarification...
That did the trick - I had set the two routers that were able to ping
out successfully to allow frags on the LAN, but the router that I had
trouble with had that off.
Thanks again, Kris!
So, in recap for posterity (anyone unlucky enough to have to deal with
this issue in the future, that is), to manage a Microsoft IPSEC VPN that
needs log in capability across the VPN, and Outlook -> Exchange
capability, it is necessary to:
1. Have a version of M0n0wall that allows fragmented packets across
IPSEC ( presently http://www.klshaw.co.uk/m0n0wall/)
2. No WAN rules are required for IPSEC at all
3. For the LAN rule that applies to the IPSEC connection, Allow
Fragmented Packets must be set
This is due to the fact that Microsoft puts packets of 2048 bytes in its
RPC protocol for reasons that I can only imagine... but that I try not
to because I have enough to irritate me!