[ previous ] [ next ] [ threads ]
 
 From:  "Jai Ketteridge" <jai at vtn dot net dot au>
 To:  "M0n0wall" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IPSEC NAT-T VPN: Bad Packet Fragmentation Causing Headaches!
 Date:  Wed, 17 Jan 2007 12:05:40 +0900
Hi Everyone
 
I currently have an IPSEC site to site VPN setup between two 1.3b2 m0n0s and
it connects ok using NAT-T UDP 4500 and I can ping to each side of the VPN
and client PCs on either side. My problem comes across when I want to remote
desktop or to do windows file sharing and that sort of thing (or infact PPTP
from inside one Lan to connect to the FQDN of the VPN server on the other
end) that I notice alot of fragmentation?. Im not too much of a guru on the
ipfilter but here is a screenshot of my syslog from one side.
http://www.vtn.net.au/private/mono/firewall-log.jpg 
 
My Network layout is like this
Singapore:
Dlink DSL604T IPOA Static IP and LAN 192.168.1.1 - "DMZ" Feature Set on
Modem to direct ALL traffic to 192.168.1.254 -> Mono's WAN 192.168.1.254 ,
Mono's LAN 10.1.0.1
 
Perth:
Linksys ADSL Modem in Bridge Mode, Monowall handling PPPOE - Mono's WAN is
ISP IP Address, Mono LAN 10.0.0.1
 
To try and combat this I have enabled IPSEC packet fragmentation on both
sides and made firewall rules at both ends for all UDP traffic to be allowed
fragmented. Basically this happens alot and makes the link almost useless. I
cannot figure out what else to do, except that perhaps the DLink is causing
these issues. I dont think I can run non NAT-T because NAT is enabled on the
DLINK to allow the DMZ to work.
 
Another option I have in the DLink is to run a virtual server, and forward
ESP, GRE, UDP 500 and UDP 4500 to the IP of the mono, however I havent
managed to get that to work correctly yet. (would NAT still need to be
enabled for that?). Or could this be an MTU issue?

Im willing to let someone take a look at all my configs as its really doing
my head in!
 
Thanks!
JK