[ previous ] [ next ] [ threads ]
 From:  Andy Lee <m0n0wall at trigger dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  PPPoE and IPSEC not possible in practice?
 Date:  Tue, 27 Apr 2004 02:28:56 -0400
I'm guessing that noone else has gotten IPSEC working when
using a PPPoE connection.

I can bring up the SA's between two m0n0wall routers simply
by sending a few pings from one private subnet to the other.

However, it seems that practical network traffic, like
Windows Networking for non-small directories, Windows
Terminal Services, or even web-browsing to an Intranet
web server will not work. I am guessing that they are using
large packets.

Since m0n0wall uses the FAST_IPSEC, I can't try to reduce
the MTU on the ipsec interface (or I don't know how). I
have tried reducing the MTU of the LAN interfaces (by
running "ifconfig sis0 mtu 1300" from /exec.php) but that
didn't solve the problem. I'm not even sure if this would
have fixed it since I'm don't understand this MTU/MSS
behaviour well. Perhaps the BSD TCP/IP stack reassembled
the fragments before putting it through IPSEC.

As a workaround, will forcing all the end-user PC's to use
a lower MTU work? There is apparently a Windows 2000 registry
entry that can force maximum MTU sizes. If anyone has any
insight, it would be much appreciated!