[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  "Don Munyak" <don dot munyak at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC Issues site-to-site ver 1.22
 Date:  Wed, 10 May 2006 18:07:30 +0100
Hello,

It allows large packets that have to be fragmented to be correctly 
reassembled when they are received via IPSEC.

You can test this: (In Windows)

ping remote_host -l 2048

This above ping should fail. If you set 'Allow Fragmented Packets' on the 
outbound firewall rule on the local firewall, and enable allow fragmented 
IPSEC packets on the remote firewall then the ping will be successful

Kris.

----- Original Message ----- 
From: "Don Munyak" <don dot munyak at gmail dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, May 10, 2006 3:01 PM
Subject: Re: [m0n0wall] IPSEC Issues site-to-site ver 1.22


Manuel, Chris, or anyone else

Has anything changed with respect to IPSEC from 1.21 to 1.22 which
would create any problems setting up IPSEC site-to-site between two
m0n0walls?

I noticed from the change log... "added option to System: Advanced
page to allow IPsec/ESP-encrypted IP fragments to be passed (mkasper)"

What exactly can this do for me ??

~Don

On 5/8/06, Don Munyak <don dot munyak at gmail dot com> wrote:
> > Anyway, Here's my config for the site-to-site IPSEC configuration.
> > This same configuration works on ver 1.21 using two(2) soekris
> > routers. This configuration is not working with verison 1.22 using
> > two(2) netgate routers. These are the only difference between the two
> > different client sites. I personally don't feel the router hardware
> > has anything to do with this... but I could be wrong ??
> >
>
> btw...I did check SAD/SPD as suggested from docbook
> http://doc.m0n0.ch/handbook/troubleshooting-bridging.html
>
> I do have two entries for each, SAD/SPD, at both ends.
>
> ~Don
>

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch