>>Or could this be an MTU issue?
That's the first thing I thought of.
I'd try a very low MTU and see if the traffic passes ok.
----- Original Message -----
From: "Jai Ketteridge"
Subject: [m0n0wall] IPSEC NAT-T VPN: Bad Packet Fragmentation Causing
Date: Wed, 17 Jan 2007 12:05:40 +0900
I currently have an IPSEC site to site VPN setup between two 1.3b2
it connects ok using NAT-T UDP 4500 and I can ping to each side of
and client PCs on either side. My problem comes across when I want to
desktop or to do windows file sharing and that sort of thing (or
from inside one Lan to connect to the FQDN of the VPN server on the
end) that I notice alot of fragmentation?. Im not too much of a guru
ipfilter but here is a screenshot of my syslog from one side.
My Network layout is like this
Dlink DSL604T IPOA Static IP and LAN 192.168.1.1 - "DMZ" Feature Set
Modem to direct ALL traffic to 192.168.1.254 -> Mono's WAN
Mono's LAN 10.1.0.1
Linksys ADSL Modem in Bridge Mode, Monowall handling PPPOE - Mono's
ISP IP Address, Mono LAN 10.0.0.1
To try and combat this I have enabled IPSEC packet fragmentation on
sides and made firewall rules at both ends for all UDP traffic to be
fragmented. Basically this happens alot and makes the link almost
cannot figure out what else to do, except that perhaps the DLink is
these issues. I dont think I can run non NAT-T because NAT is enabled
DLINK to allow the DMZ to work.
Another option I have in the DLink is to run a virtual server, and
ESP, GRE, UDP 500 and UDP 4500 to the IP of the mono, however I
managed to get that to work correctly yet. (would NAT still need to
enabled for that?). Or could this be an MTU issue?
Im willing to let someone take a look at all my configs as its really
my head in!