Re: IPSec tunnel stalled, resolved

[Mikko Kortelainen <mkortela_(_at_)_vuo_(_dot_)_fi>]

ti, 2004-10-26 kello 09:11 +0300, Mikko Kortelainen kirjoitti:
> ti, 2004-09-28 kello 10:04 -0700, Sean kirjoitti: 
> > Mikko Kortelainen wrote:
> > > ti, 2004-09-28 kello 17:24, OpenBSD-List kirjoitti:
> > > 
> > >>hmm my guess would be to decrease MTU size on the bigger sized (in terms 
> > >>of MTU) line. this helped me alot when i tried to connect clients using 
> > >>a dial-up line to connect to isakmpd on a leased line.
> > > 
> > > 
> > > Ok, thanks a lot, that fixed the problem!
> > > 
> > > Both ends had an MTU of 1500 on the outbound interface. I dropped the
> > > MTU of the OpenBSD gateway to 1400, and things started working. I still
> > > wonder why, however. But that's nothing critical.
> > 
> > It's a common problem. Packets are coming in as fragmented with the
> > "don't fragment" bit set, so many firewalls (including pf) will drop
> > them unless you configure them to do otherwise. There's some info here:
> > 
> > http://www.enterprisenetworksandservers.com/monthly/art.php/120
> 
> Ok, so now my VPN tunnels seem to work very well with an MTU size of
> 1400. But I'm having trouble with some web sites (notably
> windowsupdate.microsoft.com, but some others also). Reply packets simply
> will not reach me behind the firewall, unless I temporarily return the
> original MTU value of 1500.
> 
> Suggestions? (dropping the MS products is not an option..)
> 
> ICMP messages are unrestricted by the firewall. I've tried using the
> no-df scrub option, and also no scrub at all, but the issue remains.

....but no more:

It all started working by setting the external interface's MTU to 1400,
internal interface's MTU to 1500 and putting a "scrub in all no-df
fragment reassemble" in pf.conf.

(Just FYI to anyone having a similar problem)