[ previous ] [ next ] [ threads ]
 
 From:  Michael Sierchio <kudzu at tenebras dot com>
 To:  Mike Robison <mrobison at wts dot edu>
 Cc:  Steven Nusser <jaguar11735 at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ssh over an ipsec site to site tunnel
 Date:  Wed, 25 Jan 2012 08:38:27 -0800
Possibly - the behavior you describe is one I have seen when packets
are not fragmented before encapsulation.  The NEED-FRAG ICMP error
message doesn't get sent.

On Wed, Jan 25, 2012 at 8:26 AM, Mike Robison <mrobison at wts dot edu> wrote:
> Steven,

> tried it and it doesn't seem to work for me. Just to make sure I understood
> you correctly, I set up the following firewall rule on both firewalls:
> <rule>










> </rule>
> I don't know if the following impacts this, but earlier I turned on "Allow
> fragmented IPSec packets" on both m0n0walls. Perhaps, by setting that, I
> turned PMTUD off?
> Mike Robison
>
> On Wed, Jan 25, 2012 at 11:03 AM, Steven Nusser <jaguar11735 at gmail dot com>wrote:
>
>> How is your firewall configured? In order for PMTUD (Path MTU Discovery)
>> to function correctly, ICMP 'Destination Unreachable' messages must be
>> permitted through the firewall. At least on my m0n0wall devices, I
>> typically allow all ICMP traffic through, although you should have the
>> option to only allow that specific ICMP type through. Setting this should
>> allow your computer to detect the lower MTU of the IPSEC link, and send
>> packets accordingly.
>>
>> --
>> Steven C. Nusser
>>
>>
>>
>> On Wed, Jan 25, 2012 at 10:51 AM, Mike Robison <mrobison at wts dot edu> wrote:
>>
>>> Hi,

>>> tunnel and I'm running into MTU issues. I have a workaround that works,
>>> but
>>> it doesn't feel proper. I've got two m0n0wall's (v1.33) set up as the end
>>> points in the ipsec tunnel, connecting two subnets. Running ifconfig on
>>> either tells me that the MTU is at 1500. When I attempt to ssh from one
>>> subnet to the other, the connection hangs when running commands like ls
>>> -la
>>> or ps aux. After some poking around, I found that both my ssh client and
>>> server have their MTU set to 1500. I changed the client to 1440 and the
>>> ssh
>>> connection works like a charm. What I think is happening is this: The
>>> ipsec
>>> tunnel is not properly reforming the ssh packets at end of the tunnel,
>>> thereby causing the ssh tunnel to collapse.

>>> the ssh client? That is to say, is there a suggested way of ensuring the
>>> ipsec tunnel properly reforms the packets in M0n0wall itself? Or do I
>>> actually not understand what is going here?
>>> Thanks,
>>> Mike Robison
>>>
>>
>>