[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec tunnel stalled



ti, 2004-09-28 kello 10:04 -0700, Sean kirjoitti: 
> Mikko Kortelainen wrote:
> > ti, 2004-09-28 kello 17:24, OpenBSD-List kirjoitti:
> > 
> >>hmm my guess would be to decrease MTU size on the bigger sized (in terms 
> >>of MTU) line. this helped me alot when i tried to connect clients using 
> >>a dial-up line to connect to isakmpd on a leased line.
> > 
> > 
> > Ok, thanks a lot, that fixed the problem!
> > 
> > Both ends had an MTU of 1500 on the outbound interface. I dropped the
> > MTU of the OpenBSD gateway to 1400, and things started working. I still
> > wonder why, however. But that's nothing critical.
> 
> It's a common problem. Packets are coming in as fragmented with the
> "don't fragment" bit set, so many firewalls (including pf) will drop
> them unless you configure them to do otherwise. There's some info here:
> 
> http://www.enterprisenetworksandservers.com/monthly/art.php/120

Ok, so now my VPN tunnels seem to work very well with an MTU size of
1400. But I'm having trouble with some web sites (notably
windowsupdate.microsoft.com, but some others also). Reply packets simply
will not reach me behind the firewall, unless I temporarily return the
original MTU value of 1500.

Suggestions? (dropping the MS products is not an option..)

ICMP messages are unrestricted by the firewall. I've tried using the
no-df scrub option, and also no scrub at all, but the issue remains.

-Mikko



Visit your host, monkey.org