[ previous ] [ next ] [ threads ]
 
 From:  Michael Stecher <Michael dot Stecher at cib dot de>
 To:  'Kristian Shaw' <monowall at wealdclose dot co dot uk>, "'m0n0wall at lists dot m0n0 dot ch'" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?
 Date:  Thu, 14 Feb 2008 17:20:10 +0100
Hello Kris,

no problem!

The CISCO is our own - but it's our (only) productiv router in front of our network. Tests with this
system aren't easy and unnecessary downtime isn't good for me (and my job)! ;)

We decided today to reduce the mtu on the client pcs at the remote location (about 6 hosts), so they
can access our services (mail, file sharing, ...). I've also orderd a third Alix board for testing
without our CISCO and more tests with partnes who has also a SDSL connection.

I'll let you know if i've got more results.

Have many thanks for your help!

Michael





Von: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk]
Gesendet: Donnerstag, 14. Februar 2008 01:53
An: Michael Stecher
Betreff: Re: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?

Hello,

Sorry, I didn't read your forum post yesterday so I didn't see that you had already tried my
suggestions.

Is the Cisco 1720 owned by you or the ISP? Perhaps it is also running a firewall and is blocking
fragmented packets? If it's yours, then does the m0n0wall VPN work OK with the Cisco firewall
disabled?

The same goes for the other end with just the modem. For example, I normally Zyxel ADSL
modems/routers, but I disable the firewall part of them otherwise it interferes with the main
firewall I put behind them (as they will have different TCP/UDP connection timeouts, packet
inspection etc).

Kris.


----- Original Message -----
From: "Michael Stecher" <Michael dot Stecher at cib dot de>
To: "'Kristian Shaw'" <monowall at wealdclose dot co dot uk>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, February 13, 2008 9:05 AM
Subject: AW: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?


Hello,

have many thanks for your quick response.

1. We've tried this out yesterday, but without any success.
2. We've also tried this, but lowering the WAN MTU cause that most internet sites aren't reachable.

Are there any other options?

Best regards,

Michael




Von: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk]
Gesendet: Mittwoch, 13. Februar 2008 09:57
An: m0n0wall at lists dot m0n0 dot ch
Betreff: Re: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?

Hello,

1. Try enabling fragmented packets on the rules that allow outbound traffic from the LAN (or OP1
etc) and also tick the box in advanced options to allow fragmented packets.

2. If that doesn't work, try lowering the MTU of the WAN interface on both ends of the link.

Kris.

----- Original Message -----
From: "Michael Stecher" <Michael dot Stecher at cib dot de>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, February 13, 2008 8:51 AM
Subject: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?


Hello,

we've got a running IPSec tunnel betwenn two locations. Now we've got the problem that some packets
get lost. We've changed the mtu on a client PC to 1400 an anything works fine.

Now my question: Is it possible to change the mtu-site (or the mss-value) of the tunnel?

More datailed information ist described here:
http://forum.m0n0.ch/index.php/topic,1630.0.html

Have many thanks for your help.

Best regards,

Michael Stecher



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch