[ previous ] [ next ] [ threads ]
 From:  Steven Nusser <jaguar11735 at gmail dot com>
 To:  Mike Robison <mrobison at wts dot edu>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ssh over an ipsec site to site tunnel
 Date:  Wed, 25 Jan 2012 11:03:11 -0500
How is your firewall configured? In order for PMTUD (Path MTU Discovery) to
function correctly, ICMP 'Destination Unreachable' messages must be
permitted through the firewall. At least on my m0n0wall devices, I
typically allow all ICMP traffic through, although you should have the
option to only allow that specific ICMP type through. Setting this should
allow your computer to detect the lower MTU of the IPSEC link, and send
packets accordingly.

Steven C. Nusser

On Wed, Jan 25, 2012 at 10:51 AM, Mike Robison <mrobison at wts dot edu> wrote:

> Hi,
>    I'm attempting to run an ssh connection over an ipsec site to site
> tunnel and I'm running into MTU issues. I have a workaround that works, but
> it doesn't feel proper. I've got two m0n0wall's (v1.33) set up as the end
> points in the ipsec tunnel, connecting two subnets. Running ifconfig on
> either tells me that the MTU is at 1500. When I attempt to ssh from one
> subnet to the other, the connection hangs when running commands like ls -la
> or ps aux. After some poking around, I found that both my ssh client and
> server have their MTU set to 1500. I changed the client to 1440 and the ssh
> connection works like a charm. What I think is happening is this: The ipsec
> tunnel is not properly reforming the ssh packets at end of the tunnel,
> thereby causing the ssh tunnel to collapse.
>   Has anyone else discovered a better solution than modifying the MTU of
> the ssh client? That is to say, is there a suggested way of ensuring the
> ipsec tunnel properly reforms the packets in M0n0wall itself? Or do I
> actually not understand what is going here?
> Thanks,
> Mike Robison