|
||||||||||
Hi All - Well, it appears that the MTU on the server(s) and client platforms being lowered does solve the problem I was having (annoyingly). It also appears that Blowfish (in phase 2) requires a different MTU setting (slightly lower) than AES appears to as well, just for an interesting tidbit of information, although this observed but not carefully verified. I'm not certain why allowing fragmented packets doesn't solve the problem, but it appears that certain packets are still dropped by certain platforms on a ping unless the MTU is lowered. I have been able to find very little about this as a general issue on the web anywhere, but there are obscure references to similar things happening to others here and there (the Gentoo Linux Wiki on ipsec recommends lowering MTU as a requirement, for example). Because it creates such intermittent behavior (some systems affected, some services affected, but most of them OK) I am not too surprised, but I hope that someone with a bit more time (and knowledge about the internals of ipsec) than myself has a chance to get to the bottom of it. It is no fun having to change the MTU on every endpoint of a given network running ipsec, and it obfuscates the state of the network down the road (other IT people will need to know that the MTU on every given platform is different, etc.). I don't know if the problem is m0n0wall (Racoon) specific. Thanks again to everyone who helped me get to the bottom of this! Jeff |