Date: Mon, 28 Jun 1999 19:04:58 +0100 From: Josef Karthauser <joe@pavilion.net> To: Steven Kehlet <kehlet@techfuel.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) Message-ID: <19990628190458.U60952@pavilion.net> In-Reply-To: <Pine.LNX.4.10.9906281051080.781-100000@phoenix.techfuel.com>; from Steven Kehlet on Mon, Jun 28, 1999 at 10:54:46AM -0700 References: <19990628182551.T60952@pavilion.net> <Pine.LNX.4.10.9906281051080.781-100000@phoenix.techfuel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 28, 1999 at 10:54:46AM -0700, Steven Kehlet wrote: > Thanks! for the reply. I tried just now turning down my mtu on both > ends (to 1400) but the same thing happens. I'm wondering if changing > the mtu on the interface is too late, i.e. the packet size reduction > needs to be done earlier in the processing or something. I don't see > any way to do this (though ipsecadm?) though. I had to changed the MTU on the 'tunnel' or 'VPN' interface, not on the physical interface itself (The physical interface was an ethernet and was fixed at 1500 anyway.) I'm sure that you've done that though. ...that said, I've just checked my config, and actually it is the other way around. I had to turn the MTU up, to bring it back to 1500 bytes. Cisco allow this and fragment though the tunnel transparently to avoid sending must fragment bits back. I remember now.... the problem was that some sites on the net send packets with 'don't fragment' bits set, but then ignore the 'must fragment' ICMP packets that the tunnel was sending. Result: Broken MTU path discovery. The _only_ way around the problem was to transparently fragment into two packets and reassemble at the far end. I don't know whether this is your problem though. Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990628190458.U60952>