From owner-freebsd-questions@FreeBSD.ORG Mon Nov 29 04:28:53 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CF5F16A4CE for ; Mon, 29 Nov 2004 04:28:53 +0000 (GMT) Received: from mx1.au.itouchnet.net (nat2.au.itouchnet.net [144.135.23.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC61A43D46 for ; Mon, 29 Nov 2004 04:28:50 +0000 (GMT) (envelope-from andrewjt@applecomm.net) Received: from [192.168.13.111] (helo=itouch-1011.prv.au.itouchnet.net) by mx1.au.itouchnet.net with esmtp (Exim 4.34; FreeBSD) id 1CYdK1-000KS2-Gj for freebsd-questions@freebsd.org; Mon, 29 Nov 2004 15:39:36 +1100 From: Andrew Thomson To: freebsd-questions@freebsd.org Content-Type: text/plain Date: Mon, 29 Nov 2004 15:24:58 +1100 Message-Id: <1101702298.38278.11.camel@itouch-1011.prv.au.itouchnet.net> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Spam-Score: -4.9 (----) X-Spam-Report: Spam detection software, running on the system "mx1.au.itouchnet.net", hasmessageblock similar future email. If you have any questions, see the administrator of that system for details.vpn.set these up and they have run perfectly between freebsd firewalls acting as the vpn terminator. [...] Content analysis details: (-4.9 points, 5.0 required) pts rule name description --------------------------------------------------1% [score: 0.0000] Subject: ipsec vpn mtu problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 04:28:53 -0000 I have a problem with a freebsd lan to lan IPSEC vpn. Specifically seems to be an mtu related problem. Previously I have set these up and they have run perfectly between freebsd firewalls acting as the vpn terminator. The latest site that I'm trying to connect to has a basic internet connection. Although it is a business ethernet connection, it's looking similar to a PPPoE link that I have at home! Anyway, in order to get a reliable internet connection, the MTU on the public interface had to be dropped to 1492. Once down, the internet worked a treat. Lan to lan VPN config was done with setkey and racoon, up and running very quickly. However when we try to move data across this link, it gets a bit done and then conks out. > scp rt-3.2.2.tar.gz root@192.168.40.10: root@192.168.40.10's password: rt-3.2.2.tar.gz 11% 144KB 36.7KB/s - stalled - All my other VPNs work perfectly however none of them required the MTU change. This is the first one that required an MTU change and the first one that doesn't seem to be able to handle anything more than a ping. One side is running 4.3-RELEASE-p28, the other is running 5.3-STABLE. The 5.3 box is the one that has the dodge internet link requiring the MTU change. Any thoughts would be much appreciated. ajt. -- Andrew Thomson