[ previous ] [ next ] [ threads ]
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Cc:  =?utf-8?Q?Marek_L=C3=A4ll?= <marek dot lall at neti dot ee>
 Subject:  Re: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?
 Date:  Sat, 16 Feb 2008 20:16:28 -0000

I did some testing and I was able to replicate the problem with packets 
being dropped in IPSEC NAT-T mode.

If filter.inc is modified to allow fragmented packets on port 4500 
(automatic rule that is created when IPSEC is enabled) then everything 
appears to work OK.

# Pass NAT-T encapsulated ESP packets
pass in quick on {$ifname} proto udp from any to {$ip} port = 4500 keep 
pass out quick on {$ifname} proto udp from {$ip} port = 4500 to any keep 



----- Original Message ----- 
From: "JR" <tiresias at gmail dot com>
To: "Michael Stecher" <Michael dot Stecher at cib dot de>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Saturday, February 16, 2008 5:44 PM
Subject: Re: [m0n0wall] Problem with IPSec VPN Tunnel - MTU-Size?

> On Feb 13, 2008 3:51 AM, Michael Stecher <Michael dot Stecher at cib dot de> wrote:
>> Hello,
>> we've got a running IPSec tunnel betwenn two locations. Now we've got the 
>> problem that some packets get lost. We've changed the mtu on a client PC 
>> to 1400 an anything works fine.
>> Now my question: Is it possible to change the mtu-site (or the mss-value) 
>> of the tunnel?
>> More datailed information ist described here: 
>> http://forum.m0n0.ch/index.php/topic,1630.0.html
> I had the same MTU problem with an IPSEC tunnel a few years ago. Both
> were are cable and I checked with the ISP but they told me they saw no
> problems. I ended up setting up tunnels from both sites (I'll call
> them A and B) to a third location known to be working with IPSEC VPN
> to track down the problem. From site A to the third site, the tunnel
> worked perfectly at any packet size. From site B to the third site I
> saw the same MTU problem with large packets lost on the VPN.  I went
> back to the ISP with this information and they found out that the
> cable modem at site B had known problems with IPSEC. They replaced it
> with the same model that we had at site A (Cisco UBR900) and then the
> MTU problem went away and the tunnel worked great.
> Maybe this is relevant to your problem, maybe not, but I did see you
> mentioned some type of modem at your remote site. Creating tunnels to
> a third site might be a useful test and if it turns up similar results
> you might check that modem or swap it out.
> JR
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch