[ previous ] [ next ] [ threads ]
 From:  JR <tiresias at gmail dot com>
 To:  "Michael Stecher" <Michael dot Stecher at cib dot de>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?
 Date:  Sat, 16 Feb 2008 12:44:46 -0500
On Feb 13, 2008 3:51 AM, Michael Stecher <Michael dot Stecher at cib dot de> wrote:
> Hello,
> we've got a running IPSec tunnel betwenn two locations. Now we've got the problem that some
packets get lost. We've changed the mtu on a client PC to 1400 an anything works fine.
> Now my question: Is it possible to change the mtu-site (or the mss-value) of the tunnel?
> More datailed information ist described here: http://forum.m0n0.ch/index.php/topic,1630.0.html

I had the same MTU problem with an IPSEC tunnel a few years ago. Both
were are cable and I checked with the ISP but they told me they saw no
problems. I ended up setting up tunnels from both sites (I'll call
them A and B) to a third location known to be working with IPSEC VPN
to track down the problem. From site A to the third site, the tunnel
worked perfectly at any packet size. From site B to the third site I
saw the same MTU problem with large packets lost on the VPN.  I went
back to the ISP with this information and they found out that the
cable modem at site B had known problems with IPSEC. They replaced it
with the same model that we had at site A (Cisco UBR900) and then the
MTU problem went away and the tunnel worked great.

Maybe this is relevant to your problem, maybe not, but I did see you
mentioned some type of modem at your remote site. Creating tunnels to
a third site might be a useful test and if it turns up similar results
you might check that modem or swap it out.