[ previous ] [ next ] [ threads ]
 From:  "David Bottrill" <david at bottrill dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Beta version 1.1b6 available
 Date:  Fri, 23 Apr 2004 17:44:44 +0100 (BST)
Andy Lee said:
> We're getting a problem that might be related to this MTU problem
> with an IPSEC-based VPN that connects two offices across the internet
> with one side connected to the internet via PPPoE.
> Using ping to test packet sizes going across the IPSEC tunnel, it
> appears that any packet larger than 1418 bytes will not get through
> to the other side of the tunnel. I'm not sure if it is IPSEC, PPPoE,
> or both that are causing this MTU limit.
> Do these new changes/fixes address this particular problem?
> Will clamping the MTU/MSS on just the LAN interfaces of our two
> m0n0wall-based routers fix this?

This won't work if the devices are sending packets with the Don't frag bit
set. Normally I would expect a VPN router (Cisco for Instance) to return a
special type of Destination Unreachable (ICMP Type 3 code 4) packet back
to the originating server with the maximum MTU size allowed, most recent
TCP/IP stacks support MTU discovery and will handle this and reduce their
MTU size automatically. This is certainly true with recent versions
Windows, Solaris, Linux (I hope) etc.

Can someone clarify if M0n0wall supports this feature.

David Bottrill

david at bottrill dot org
Registered Linux user number 330730