[ previous ] [ next ] [ threads ]
 From:  Andy Lee <m0n0wall at trigger dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPPoE and IPSEC not possible in practice?
 Date:  Wed, 28 Apr 2004 15:38:30 -0400
Thanks for the response!

Looks like adjusting the MTU on the end-PC's of the branch
connected via PPPoE fixed the problem.

The servers on the non-PPPoE branch did not need their MTU
sizes changed.

I wonder if Windows 2000 PC's will honour a DHCP option for
MTU setting...


Christiaens Joachim wrote:

>>-----Original Message-----
>>From: Andy Lee [mailto:m0n0wall at trigger dot net]
>>Sent: dinsdag 27 april 2004 8:29
>>To: m0n0wall at lists dot m0n0 dot ch
>>Subject: [m0n0wall] PPPoE and IPSEC not possible in practice?
>>I'm guessing that noone else has gotten IPSEC working when
>>using a PPPoE connection.
>>I can bring up the SA's between two m0n0wall routers simply
>>by sending a few pings from one private subnet to the other.
>>However, it seems that practical network traffic, like
>>Windows Networking for non-small directories, Windows
>>Terminal Services, or even web-browsing to an Intranet
>>web server will not work. I am guessing that they are using
>>large packets.
>>Since m0n0wall uses the FAST_IPSEC, I can't try to reduce
>>the MTU on the ipsec interface (or I don't know how). I
>>have tried reducing the MTU of the LAN interfaces (by
>>running "ifconfig sis0 mtu 1300" from /exec.php) but that
>>didn't solve the problem. I'm not even sure if this would
>>have fixed it since I'm don't understand this MTU/MSS
>>behaviour well. Perhaps the BSD TCP/IP stack reassembled
>>the fragments before putting it through IPSEC.
>>As a workaround, will forcing all the end-user PC's to use
>>a lower MTU work? There is apparently a Windows 2000 registry
>>entry that can force maximum MTU sizes. If anyone has any
>>insight, it would be much appreciated!
> Well, this last thing I have done with w2003 servers (DC's) to overcome this
> problem.
> Not exactly the same problem, but when using the Safenet softremote client,
> the MTU is set in Windows to 1372. On a pc with some realtek network-cards,
> this gives problems (I guess the ICMP reply to fragment is not sent
> correctly, when bigger packets are received), and DC-authentication (on
> plain ethernet) suffered from this. Setting the MTU on the DC's to 1372
> solved the problem.
> I guess setting the MTU on both sides will solve your problem... maybe... :)
> Joachim
> -----------------------------------------------
> -----------------------------------------------
> Oce enables its customers to manage their documents efficiently and
> effectively by offering innovative print and document management products
> and services for professional environments.
> -----------------------------------------------
> -----------------------------------------------
> This e-mail message and any attachment are intended for the sole use of the
> recipient(s) named above and may contain information which is confidential
> and/or protected by intellectual property rights.
> Any use of the information contained herein (including, but not limited to,
> total or partial reproduction, communication or distribution in any form) by
> other persons than the designated recipient(s) is prohibited.
> If you have received this e-mail in error, please notify the sender either
> by telephone (0032-2-729.48.11) or by e-mail and delete the material from
> any computer.
> Oce-Belgium/Oce-Interservices is nor responsible for the correct and
> complete transfer of the contents of the sent e-mail, neither for the
> receipt on due time.  This e-mail message does not bring about a contractual
> obligation for Oce-Belgium/Oce-Interservices.
> Thank you for your cooperation.
> For further information about Oce-Belgium/Oce-Interservices please see our
> website at www.oce.be
> -----------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch