[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC fragmentation
 Date:  Tue, 10 Oct 2006 16:19:44 +0100
Hello,

The option "Allow fragmented IPsec packets" only applies when packets are 
received and if the m0n0wall is acting as the VPN endpoint.

You also need to select the 'Allow fragmented packets" option on outbound 
firewall rules as well.

Regards,

Kris.


----- Original Message ----- 
From: <Paul underscore Kiely at Monitor dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, October 10, 2006 3:58 PM
Subject: [m0n0wall] IPSEC fragmentation


> Hello list,
>
> I have a Soekris 4501 running m0n0wall version 1.22
>
> I have an application that traverses the m0n0wall over an IPSEC tunnel.
> The application, which utilzes UDP port 5093, fails at a certain point.  A
> quick check of syslog reveals the following series of blocked segments:
>
> Oct 10 10:26:20 cam-wir ipmon[83]: 10:26:20.260583 sis1 @100:2 b
> 192.168.6.89 -> a.b.c.d PR udp len 20 (40) (frag 3227:20@1480) K-S IN
> Oct 10 10:26:28 cam-wir ipmon[83]: 10:26:28.266672 sis1 @100:2 b
> 192.168.6.89 -> a.b.c.d PR udp len 20 (40) (frag 3228:20@1480) K-S IN
> Oct 10 10:26:38 cam-wir ipmon[83]: 10:26:38.262015 sis1 @100:2 b
> 192.168.6.89 -> a.b.c.d PR udp len 20 (40) (frag 3229:20@1480) K-S IN
>
> Rule 100:2 is the following:
>
> @2 pass in log first quick from 192.168.6.0/24 to any keep state group 100
>
> Does anyone know what may be causing this or how I can fix it?  I enabled
> "Allow fragmented IPsec packets" under the Advanced section but that has
> not fixed the problem.
>
> Thanks.
>
> -Paul
>
>
>
> -----------------------------------
> This message contains information that may be confidential and 
> proprietary. Unless you are the intended recipient (or authorized to 
> receive this message for the intended recipient), you may not use, copy, 
> disseminate or disclose to anyone the message or any information contained 
> in the message. If you have received the message in error, please advise 
> the sender by reply e-mail, and delete the message immediately. Thank you 
> very much.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>