|
||||||||
Thanks for the response! Looks like adjusting the MTU on the end-PC's of the branch connected via PPPoE fixed the problem. The servers on the non-PPPoE branch did not need their MTU sizes changed. I wonder if Windows 2000 PC's will honour a DHCP option for MTU setting... Andy Christiaens Joachim wrote: >>-----Original Message----- >>From: Andy Lee [mailto:m0n0wall at trigger dot net] >>Sent: dinsdag 27 april 2004 8:29 >>To: m0n0wall at lists dot m0n0 dot ch >>Subject: [m0n0wall] PPPoE and IPSEC not possible in practice? >> >> >>I'm guessing that noone else has gotten IPSEC working when >>using a PPPoE connection. >> >>I can bring up the SA's between two m0n0wall routers simply >>by sending a few pings from one private subnet to the other. >> >>However, it seems that practical network traffic, like >>Windows Networking for non-small directories, Windows >>Terminal Services, or even web-browsing to an Intranet >>web server will not work. I am guessing that they are using >>large packets. >> >>Since m0n0wall uses the FAST_IPSEC, I can't try to reduce >>the MTU on the ipsec interface (or I don't know how). I >>have tried reducing the MTU of the LAN interfaces (by >>running "ifconfig sis0 mtu 1300" from /exec.php) but that >>didn't solve the problem. I'm not even sure if this would >>have fixed it since I'm don't understand this MTU/MSS >>behaviour well. Perhaps the BSD TCP/IP stack reassembled >>the fragments before putting it through IPSEC. >> >>As a workaround, will forcing all the end-user PC's to use >>a lower MTU work? There is apparently a Windows 2000 registry >>entry that can force maximum MTU sizes. If anyone has any >>insight, it would be much appreciated! > > > Well, this last thing I have done with w2003 servers (DC's) to overcome this > problem. > > Not exactly the same problem, but when using the Safenet softremote client, > the MTU is set in Windows to 1372. On a pc with some realtek network-cards, > this gives problems (I guess the ICMP reply to fragment is not sent > correctly, when bigger packets are received), and DC-authentication (on > plain ethernet) suffered from this. Setting the MTU on the DC's to 1372 > solved the problem. > > I guess setting the MTU on both sides will solve your problem... maybe... :) > > Joachim > > > ----------------------------------------------- > MISSION STATEMENT > ----------------------------------------------- > Oce enables its customers to manage their documents efficiently and > effectively by offering innovative print and document management products > and services for professional environments. > > ----------------------------------------------- > DISCLAIMER > ----------------------------------------------- > This e-mail message and any attachment are intended for the sole use of the > recipient(s) named above and may contain information which is confidential > and/or protected by intellectual property rights. > Any use of the information contained herein (including, but not limited to, > total or partial reproduction, communication or distribution in any form) by > other persons than the designated recipient(s) is prohibited. > > If you have received this e-mail in error, please notify the sender either > by telephone (0032-2-729.48.11) or by e-mail and delete the material from > any computer. > Oce-Belgium/Oce-Interservices is nor responsible for the correct and > complete transfer of the contents of the sent e-mail, neither for the > receipt on due time. This e-mail message does not bring about a contractual > obligation for Oce-Belgium/Oce-Interservices. > > Thank you for your cooperation. > > For further information about Oce-Belgium/Oce-Interservices please see our > website at www.oce.be > > ----------------------------------------------- > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |