|
||||||||
Hello, Windows networks are supposed to sort all this out automatically, but it can go very wrong if a misconfigured router is in the way. Generally, IP packets from an ethernet connected machine will need to be fragmented when encapsulated within IPSEC. However, some ISP deviced are misconfigured and can: 1. Drop fragmented packets or 2. If a link has a lower MTU than 1500, the ISP's routers may fail to send an ICMP message back which is necessary for PMTU discovery to work (e.g. notify the sending machine that it needs to use a lower MTU for this packets to this host). These devices are known as 'black hole routers' and cause havoc with IPSEC. It also stops things like websites from working correctly when you manually lower your MTU, because the web server never gets the message that it needs to use a lower MTU when sending packets back to you. I would guess these are caused by firewalls configured by people who think that ICMP and fragmented packets are bad. When it comes to IPSEC, you really don't want anyone to have configured a firewall or packet filter that might silently drop packets. If you can't do something like "ping www.bbc.co.uk -l 2048" from a PC directly connected (or through a firewall that allows fragments) then you need to complain loudly to your ISP, as they are breaking some low level protocols. Kris. ----- Original Message ----- From: "Michael Stecher" <Michael dot Stecher at cib dot de> To: "'Kristian Shaw'" <monowall at wealdclose dot co dot uk>; <m0n0wall at lists dot m0n0 dot ch> Sent: Wednesday, February 13, 2008 9:05 AM Subject: AW: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size? Hello, have many thanks for your quick response. 1. We've tried this out yesterday, but without any success. 2. We've also tried this, but lowering the WAN MTU cause that most internet sites aren't reachable. Are there any other options? Best regards, Michael -----Ursprüngliche Nachricht----- Von: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk] Gesendet: Mittwoch, 13. Februar 2008 09:57 An: m0n0wall at lists dot m0n0 dot ch Betreff: Re: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size? Hello, 1. Try enabling fragmented packets on the rules that allow outbound traffic from the LAN (or OP1 etc) and also tick the box in advanced options to allow fragmented packets. 2. If that doesn't work, try lowering the MTU of the WAN interface on both ends of the link. Kris. ----- Original Message ----- From: "Michael Stecher" <Michael dot Stecher at cib dot de> To: <m0n0wall at lists dot m0n0 dot ch> Sent: Wednesday, February 13, 2008 8:51 AM Subject: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size? Hello, we've got a running IPSec tunnel betwenn two locations. Now we've got the problem that some packets get lost. We've changed the mtu on a client PC to 1400 an anything works fine. Now my question: Is it possible to change the mtu-site (or the mss-value) of the tunnel? More datailed information ist described here: http://forum.m0n0.ch/index.php/topic,1630.0.html Have many thanks for your help. Best regards, Michael Stecher --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |