Re: AW: [m0n0wall] Problem with IPSec VPN Tunnel

From:	Michael Brown <knightmb at knightmb dot dyndns dot org>
To:	"m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: AW: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?
Date:	Wed, 13 Feb 2008 10:48:54 -0600

I've run into this issue as well. The only solution was to change it on 
the server being accessed or whatever client PCs that were "acting" like 
a server that other machines would connect to (whether for file sharing 
or whatever). The problem that I had though was not the IPSec Tunnel, 
but the actually ISP was having problems with the MTU setting between 
two different ISP (in that case, it was Comcast to AT&T). The m0n0wall 
machines I setup, one machine was behaving like a hub for more others 
across the Internet. One site, which never had any problems nor 
modifications for the MTU, had it's ISP changed out to Comcast and 
that's when all the trouble started. I tried everything on both ends 
(MTU settings, fragmented packets, etc) and nothing worked. The ISP 
changed prevented the client computers from connecting to a server back 
at home base. Finally, I changed the MTU of the server to 1400 and 
everything worked. Why it was this specific ISP to ISP connection that 
didn't work with a standard MTU of 1500 I have no idea.

Thanks,
Michael

Michael Stecher wrote:
> Hello,
>
> have many thanks for your quick response.
>
> 1. We've tried this out yesterday, but without any success.
> 2. We've also tried this, but lowering the WAN MTU cause that most internet sites aren't
reachable.
>
> Are there any other options?
>
> Best regards,
>
> Michael
>
>
>
>
>