From owner-freebsd-security Mon Jun 28 11:47:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from cerberus.techfuel.com (irvine.techfuel.com [209.80.51.55]) by hub.freebsd.org (Postfix) with ESMTP id E8AFB15240 for ; Mon, 28 Jun 1999 11:47:07 -0700 (PDT) (envelope-from kehlet@techfuel.com) Received: from basilisk.techfuel.com (basilisk.techfuel.com [172.16.1.2]) by cerberus.techfuel.com (8.9.3/8.9.3) with ESMTP id LAA02738; Mon, 28 Jun 1999 11:46:50 -0700 (PDT) Received: from phoenix.techfuel.com (phoenix.techfuel.com [172.16.1.5]) by basilisk.techfuel.com (8.9.3/8.9.3) with ESMTP id LAA22637; Mon, 28 Jun 1999 11:44:33 -0700 (PDT) Received: from localhost (kehlet@localhost) by phoenix.techfuel.com (8.9.3/8.9.3) with ESMTP id LAA01002; Mon, 28 Jun 1999 11:49:49 -0700 X-Authentication-Warning: phoenix.techfuel.com: kehlet owned process doing -bs Date: Mon, 28 Jun 1999 11:49:49 -0700 (PDT) From: Steven Kehlet To: Josef Karthauser Cc: freebsd-security@FreeBSD.ORG Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) In-Reply-To: <19990628190458.U60952@pavilion.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmm, problem is there's no way I can tell to change the MTU on the "virtual interface" that is IPSec. This implementation offers an enc0 interface for packets that have come *in* and are decrypted by IPSec (really just for use by firewall rules), but nothing for on the way *out*. So I can't limit the packet size. Arg! :-) Steve On Mon, 28 Jun 1999, Josef Karthauser wrote: > Date: Mon, 28 Jun 1999 19:04:58 +0100 > From: Josef Karthauser > To: Steven Kehlet > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) > > On Mon, Jun 28, 1999 at 10:54:46AM -0700, Steven Kehlet wrote: > > Thanks! for the reply. I tried just now turning down my mtu on both > > ends (to 1400) but the same thing happens. I'm wondering if changing > > the mtu on the interface is too late, i.e. the packet size reduction > > needs to be done earlier in the processing or something. I don't see > > any way to do this (though ipsecadm?) though. > > I had to changed the MTU on the 'tunnel' or 'VPN' interface, not on the > physical interface itself (The physical interface was an ethernet and was > fixed at 1500 anyway.) I'm sure that you've done that though. > > ...that said, I've just checked my config, and actually it is the other way > around. I had to turn the MTU up, to bring it back to 1500 bytes. Cisco > allow this and fragment though the tunnel transparently to avoid sending > must fragment bits back. > > I remember now.... the problem was that some sites on the net send packets > with 'don't fragment' bits set, but then ignore the 'must fragment' ICMP > packets that the tunnel was sending. Result: Broken MTU path discovery. > The _only_ way around the problem was to transparently fragment into two > packets and reassemble at the far end. > > I don't know whether this is your problem though. > > Joe > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message