|
||||||||
Hello, It allows large packets that have to be fragmented to be correctly reassembled when they are received via IPSEC. You can test this: (In Windows) ping remote_host -l 2048 This above ping should fail. If you set 'Allow Fragmented Packets' on the outbound firewall rule on the local firewall, and enable allow fragmented IPSEC packets on the remote firewall then the ping will be successful Kris. ----- Original Message ----- From: "Don Munyak" <don dot munyak at gmail dot com> To: <m0n0wall at lists dot m0n0 dot ch> Sent: Wednesday, May 10, 2006 3:01 PM Subject: Re: [m0n0wall] IPSEC Issues site-to-site ver 1.22 Manuel, Chris, or anyone else Has anything changed with respect to IPSEC from 1.21 to 1.22 which would create any problems setting up IPSEC site-to-site between two m0n0walls? I noticed from the change log... "added option to System: Advanced page to allow IPsec/ESP-encrypted IP fragments to be passed (mkasper)" What exactly can this do for me ?? ~Don On 5/8/06, Don Munyak <don dot munyak at gmail dot com> wrote: > > Anyway, Here's my config for the site-to-site IPSEC configuration. > > This same configuration works on ver 1.21 using two(2) soekris > > routers. This configuration is not working with verison 1.22 using > > two(2) netgate routers. These are the only difference between the two > > different client sites. I personally don't feel the router hardware > > has anything to do with this... but I could be wrong ?? > > > > btw...I did check SAD/SPD as suggested from docbook > http://doc.m0n0.ch/handbook/troubleshooting-bridging.html > > I do have two entries for each, SAD/SPD, at both ends. > > ~Don > --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |