[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?
 Date:  Thu, 14 Feb 2008 00:26:10 -0000
Hello,

Windows networks are supposed to sort all this out automatically, but it can 
go very wrong if a misconfigured router is in the way.

Generally, IP packets from an ethernet connected machine will need to be 
fragmented when encapsulated within IPSEC. However, some ISP deviced are 
misconfigured and can:

1. Drop fragmented packets
or
2. If a link has a lower MTU than 1500, the ISP's routers may fail to send 
an ICMP message back which is necessary for PMTU discovery to work (e.g. 
notify the sending machine that it needs to use a lower MTU for this packets 
to this host).

These devices are known as 'black hole routers' and cause havoc with IPSEC. 
It also stops things like websites from working correctly when you manually 
lower your MTU, because the web server never gets the message that it needs 
to use a lower MTU when sending packets back to you.

I would guess these are caused by firewalls configured by people who think 
that ICMP and fragmented packets are bad. When it comes to IPSEC, you really 
don't want anyone to have configured a firewall or packet filter that might 
silently drop packets.

If you can't do something like "ping www.bbc.co.uk -l 2048" from a PC 
directly connected (or through a firewall that allows fragments) then you 
need to complain loudly to your ISP, as they are breaking some low level 
protocols.

Kris.

----- Original Message ----- 
From: "Michael Stecher" <Michael dot Stecher at cib dot de>
To: "'Kristian Shaw'" <monowall at wealdclose dot co dot uk>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, February 13, 2008 9:05 AM
Subject: AW: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?


Hello,

have many thanks for your quick response.

1. We've tried this out yesterday, but without any success.
2. We've also tried this, but lowering the WAN MTU cause that most internet 
sites aren't reachable.

Are there any other options?

Best regards,

Michael




Von: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk]
Gesendet: Mittwoch, 13. Februar 2008 09:57
An: m0n0wall at lists dot m0n0 dot ch
Betreff: Re: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?

Hello,

1. Try enabling fragmented packets on the rules that allow outbound traffic 
from the LAN (or OP1 etc) and also tick the box in advanced options to allow 
fragmented packets.

2. If that doesn't work, try lowering the MTU of the WAN interface on both 
ends of the link.

Kris.

----- Original Message -----
From: "Michael Stecher" <Michael dot Stecher at cib dot de>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, February 13, 2008 8:51 AM
Subject: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?


Hello,

we've got a running IPSec tunnel betwenn two locations. Now we've got the 
problem that some packets get lost. We've changed the mtu on a client PC to 
1400 an anything works fine.

Now my question: Is it possible to change the mtu-site (or the mss-value) of 
the tunnel?

More datailed information ist described here:
http://forum.m0n0.ch/index.php/topic,1630.0.html

Have many thanks for your help.

Best regards,

Michael Stecher



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch