That was a really interesting idea. And it makes sense. Sadly, I just
tried it and it doesn't seem to work for me. Just to make sure I understood
you correctly, I set up the following firewall rule on both firewalls:
<descr>IPSec Path MTU Correction</descr>
I don't know if the following impacts this, but earlier I turned on "Allow
fragmented IPSec packets" on both m0n0walls. Perhaps, by setting that, I
turned PMTUD off?
On Wed, Jan 25, 2012 at 11:03 AM, Steven Nusser <jaguar11735 at gmail dot com>wrote:
> How is your firewall configured? In order for PMTUD (Path MTU Discovery)
> to function correctly, ICMP 'Destination Unreachable' messages must be
> permitted through the firewall. At least on my m0n0wall devices, I
> typically allow all ICMP traffic through, although you should have the
> option to only allow that specific ICMP type through. Setting this should
> allow your computer to detect the lower MTU of the IPSEC link, and send
> packets accordingly.
> Steven C. Nusser
> On Wed, Jan 25, 2012 at 10:51 AM, Mike Robison <mrobison at wts dot edu> wrote:
>> I'm attempting to run an ssh connection over an ipsec site to site
>> tunnel and I'm running into MTU issues. I have a workaround that works,
>> it doesn't feel proper. I've got two m0n0wall's (v1.33) set up as the end
>> points in the ipsec tunnel, connecting two subnets. Running ifconfig on
>> either tells me that the MTU is at 1500. When I attempt to ssh from one
>> subnet to the other, the connection hangs when running commands like ls
>> or ps aux. After some poking around, I found that both my ssh client and
>> server have their MTU set to 1500. I changed the client to 1440 and the
>> connection works like a charm. What I think is happening is this: The
>> tunnel is not properly reforming the ssh packets at end of the tunnel,
>> thereby causing the ssh tunnel to collapse.
>> Has anyone else discovered a better solution than modifying the MTU of
>> the ssh client? That is to say, is there a suggested way of ensuring the
>> ipsec tunnel properly reforms the packets in M0n0wall itself? Or do I
>> actually not understand what is going here?
>> Mike Robison