[ previous ] [ next ] [ threads ]
 From:  Jeff Buehler <jeff at buehlertech dot com>
 To:  Kristian Shaw <monowall at wealdclose dot co dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] RE: RE : [m0n0wall] outlook -> exchange problem
 Date:  Sun, 26 Feb 2006 08:43:35 -0800
Hi All -

Well, it appears that the MTU on the server(s) and client platforms 
being lowered does solve the problem I was having (annoyingly).  It also 
appears that Blowfish (in phase 2) requires a different MTU setting 
(slightly lower) than AES appears to as well, just for an interesting 
tidbit of information, although this observed but not carefully 
verified.  I'm not certain why allowing fragmented packets doesn't solve 
the problem, but it appears that certain packets are still dropped by 
certain platforms on a ping unless the MTU is lowered.

I have been able to find very little about this as a general issue on 
the web anywhere, but there are obscure references to similar things 
happening to others here and there (the Gentoo Linux Wiki on ipsec 
recommends lowering MTU as a requirement, for example).  Because it 
creates such intermittent behavior (some systems affected, some services 
affected, but most of them OK) I am not too surprised, but I hope that 
someone with a bit more time (and knowledge about the internals of 
ipsec) than myself has a chance to get to the bottom of it.  It is no 
fun having to change the MTU on every endpoint of a given network 
running ipsec, and it obfuscates the state of the network down the road 
(other IT people will need to know that the MTU on every given platform 
is different, etc.).

I don't know if the problem is m0n0wall (Racoon) specific.

Thanks again to everyone who helped me get to the bottom of this!