[ previous ] [ next ] [ threads ]
 From:  "Marek Läll" <marek dot lall at neti dot ee>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Re: AW: Problem with IPSec VPN Tunnel - MTU-Size?
 Date:  Thu, 14 Feb 2008 22:30:32 +0200
"Lee Sharp" <leesharp at hal dash pc dot org> wrote in message 
news:47B352BC dot 6000005 at hal dash pc dot org...
> Actually blame Windows...  What is happening is that NAT takes a little of 
> the packet, and VPN takes a little of the packet.  (PPPoE will as well)  A 
> TCP/IP stack is "supposed" to look for this, but Windows doesn't.  I set 
> Windows servers to a MTU of 1400 just to avoid this.

I also tested it with Debian etch 2.6.18-5-686 on both ends.
Result is exactly the same.

Here are 2 examples that does not work (m0n0wall (firewall) starts blocking 
UDP packets):
- open ssh session and start "top"
- execute scp /bin/tar <remote-ip>:.

I do agree that if I set MTU of servers (Win, Lnx, others) to lower value 
then it works
but I think this is not expected behaviour of IPSec (NAT-T) tunnels /