Hi All -
Well, it appears that the MTU on the server(s) and client platforms
being lowered does solve the problem I was having (annoyingly). It also
appears that Blowfish (in phase 2) requires a different MTU setting
(slightly lower) than AES appears to as well, just for an interesting
tidbit of information, although this observed but not carefully
verified. I'm not certain why allowing fragmented packets doesn't solve
the problem, but it appears that certain packets are still dropped by
certain platforms on a ping unless the MTU is lowered.
I have been able to find very little about this as a general issue on
the web anywhere, but there are obscure references to similar things
happening to others here and there (the Gentoo Linux Wiki on ipsec
recommends lowering MTU as a requirement, for example). Because it
creates such intermittent behavior (some systems affected, some services
affected, but most of them OK) I am not too surprised, but I hope that
someone with a bit more time (and knowledge about the internals of
ipsec) than myself has a chance to get to the bottom of it. It is no
fun having to change the MTU on every endpoint of a given network
running ipsec, and it obfuscates the state of the network down the road
(other IT people will need to know that the MTU on every given platform
is different, etc.).
I don't know if the problem is m0n0wall (Racoon) specific.
Thanks again to everyone who helped me get to the bottom of this!