|
||||||||
>>Or could this be an MTU issue? That's the first thing I thought of. I'd try a very low MTU and see if the traffic passes ok. ----- Original Message ----- From: "Jai Ketteridge" To: "M0n0wall" Subject: [m0n0wall] IPSEC NAT-T VPN: Bad Packet Fragmentation Causing Headaches! Date: Wed, 17 Jan 2007 12:05:40 +0900 Hi Everyone I currently have an IPSEC site to site VPN setup between two 1.3b2 m0n0s and it connects ok using NAT-T UDP 4500 and I can ping to each side of the VPN and client PCs on either side. My problem comes across when I want to remote desktop or to do windows file sharing and that sort of thing (or infact PPTP from inside one Lan to connect to the FQDN of the VPN server on the other end) that I notice alot of fragmentation?. Im not too much of a guru on the ipfilter but here is a screenshot of my syslog from one side. http://www.vtn.net.au/private/mono/firewall-log.jpg My Network layout is like this Singapore: Dlink DSL604T IPOA Static IP and LAN 192.168.1.1 - "DMZ" Feature Set on Modem to direct ALL traffic to 192.168.1.254 -> Mono's WAN 192.168.1.254 , Mono's LAN 10.1.0.1 Perth: Linksys ADSL Modem in Bridge Mode, Monowall handling PPPOE - Mono's WAN is ISP IP Address, Mono LAN 10.0.0.1 To try and combat this I have enabled IPSEC packet fragmentation on both sides and made firewall rules at both ends for all UDP traffic to be allowed fragmented. Basically this happens alot and makes the link almost useless. I cannot figure out what else to do, except that perhaps the DLink is causing these issues. I dont think I can run non NAT-T because NAT is enabled on the DLINK to allow the DMZ to work. Another option I have in the DLink is to run a virtual server, and forward ESP, GRE, UDP 500 and UDP 4500 to the IP of the mono, however I havent managed to get that to work correctly yet. (would NAT still need to be enabled for that?). Or could this be an MTU issue? Im willing to let someone take a look at all my configs as its really doing my head in! Thanks! JK |