[ previous ] [ next ] [ threads ]
 
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'Andy Lee'" <m0n0wall at trigger dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] PPPoE and IPSEC not possible in practice?
 Date:  Tue, 27 Apr 2004 18:45:12 +0200
> -----Original Message-----
> From: Andy Lee [mailto:m0n0wall at trigger dot net]
> Sent: dinsdag 27 april 2004 8:29
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] PPPoE and IPSEC not possible in practice?
> 
> 
> I'm guessing that noone else has gotten IPSEC working when
> using a PPPoE connection.
> 
> I can bring up the SA's between two m0n0wall routers simply
> by sending a few pings from one private subnet to the other.
> 
> However, it seems that practical network traffic, like
> Windows Networking for non-small directories, Windows
> Terminal Services, or even web-browsing to an Intranet
> web server will not work. I am guessing that they are using
> large packets.
> 
> Since m0n0wall uses the FAST_IPSEC, I can't try to reduce
> the MTU on the ipsec interface (or I don't know how). I
> have tried reducing the MTU of the LAN interfaces (by
> running "ifconfig sis0 mtu 1300" from /exec.php) but that
> didn't solve the problem. I'm not even sure if this would
> have fixed it since I'm don't understand this MTU/MSS
> behaviour well. Perhaps the BSD TCP/IP stack reassembled
> the fragments before putting it through IPSEC.
> 
> As a workaround, will forcing all the end-user PC's to use
> a lower MTU work? There is apparently a Windows 2000 registry
> entry that can force maximum MTU sizes. If anyone has any
> insight, it would be much appreciated!

Well, this last thing I have done with w2003 servers (DC's) to overcome this
problem.

Not exactly the same problem, but when using the Safenet softremote client,
the MTU is set in Windows to 1372. On a pc with some realtek network-cards,
this gives problems (I guess the ICMP reply to fragment is not sent
correctly, when bigger packets are received), and DC-authentication (on
plain ethernet) suffered from this. Setting the MTU on the DC's to 1372
solved the problem.

I guess setting the MTU on both sides will solve your problem... maybe... :)

Joachim


-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------
Oce enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------