From owner-freebsd-net@FreeBSD.ORG Fri Oct 31 06:30:35 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6ADC216A4CE for ; Fri, 31 Oct 2003 06:30:35 -0800 (PST) Received: from math.teaser.net (math.teaser.net [213.91.2.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53F7243F85 for ; Fri, 31 Oct 2003 06:30:34 -0800 (PST) (envelope-from e-masson@kisoft-services.com) Received: from t39bsdems.interne.kisoft-services.com (nantes.kisoft-services.com [193.56.60.243]) by math.teaser.net (Postfix) with ESMTP id 0502B6C8A3; Fri, 31 Oct 2003 15:30:33 +0100 (CET) Received: by t39bsdems.interne.kisoft-services.com (Postfix, from userid 1001) id 278CF5B99D; Fri, 31 Oct 2003 15:17:53 +0100 (CET) To: Lars Eggert From: Eric Masson In-Reply-To: <3FA02B30.90805@isi.edu> (Lars Eggert's message of "Wed, 29 Oct 2003 13:03:44 -0800") References: <8665iehd1i.fsf@t39bsdems.interne.kisoft-services.com> <3FA02B30.90805@isi.edu> X-Operating-System: FreeBSD 4.9-PRERELEASE i386 Date: Fri, 31 Oct 2003 15:17:53 +0100 Message-ID: <868yn1qyni.fsf@t39bsdems.interne.kisoft-services.com> User-Agent: Gnus/5.1003 (Gnus v5.10.3) XEmacs/21.4 (Portable Code, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: Mailing List FreeBSD Network Subject: Re: ipsec tunnels & packet length issues X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2003 14:30:35 -0000 >>>>> "Lars" == Lars Eggert writes: Hello Lars, Lars> See the section on PMTU discovery in draft-touch-ipsec-vpn-06. If Lars> the requirements of your setup allow is, IPIP gif tunnels Lars> together with IPsec transport mode (as described in the ID) can Lars> address this issue. The kind of setup described in your draft should adress the issue, but choice has been to use native ipsec tunnels (maybe this will change in near future). The only workaround I've found is to lower mtu on the fw1 dmz interface to 1436 (thanks to M. Sierchio) Hope your draft will be adopted. Thanks a lot Eric Masson -- B > Ah ben bravo ! a quand l'html dans les entetes ? CB> Hein ? tu lis pas l'iso-8859-1 dans le champ approved ?? Elle répond. Comment veux-tu qu'en plus elle ait le temps de lire ? -+- SJ in : Les joyeuses commères d'Usenet -+-