From owner-freebsd-questions@FreeBSD.ORG Tue Jan 25 20:42:47 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD45716A4CE for ; Tue, 25 Jan 2005 20:42:47 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83CA543D2F for ; Tue, 25 Jan 2005 20:42:47 +0000 (GMT) (envelope-from bsdaemon@comcast.net) Received: from fw.home (pcp05404374pcs.norstn01.pa.comcast.net[68.80.144.252]) by comcast.net (rwcrmhc11) with SMTP id <2005012520424401300kcbb5e>; Tue, 25 Jan 2005 20:42:44 +0000 Received: (qmail 38034 invoked from network); 25 Jan 2005 20:42:43 -0000 Received: from unknown (HELO ?192.168.1.251?) (192.168.1.251) by fw.home with SMTP; 25 Jan 2005 20:42:43 -0000 Message-ID: <41F6AF43.30205@comcast.net> Date: Tue, 25 Jan 2005 15:42:43 -0500 From: Kris Maglione User-Agent: Mozilla Thunderbird 1.0 (X11/20041213) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <41F56E93.8050700@comcast.net> In-Reply-To: <41F56E93.8050700@comcast.net> X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [Solved] Re: IPsec issue X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jan 2005 20:42:47 -0000 Kris Maglione wrote: > I secure my wireless network with IPsec. The rules are generated with > a perl script (included below) with a rule for each ip in the range > 192.168.1.3-192.168.1.254 (.2 is my AP). The key exchange is handled > by racoon and works without issue. I have "allow ip from any to any" > as my first ipfw rule when on this network. My firewall allows DHCP > and ISAKMP traffic unencrypted and allows only esp traffic otherwise. > > My problem is that certain websites tend not to work. I can look them > up and make a connection, but I get no incoming packets, although on > occasion they do work. Google is one such site. Also, it seems that > images don't always load for any site. Neither firewall is blocking > the traffic. When I make an OpenVPN link over the connection (it's > easier than disabling IPsec, since it's already setup for when I'm > away from home), the same websites work fine. The problem turned out to be that with the overhead of the IPsec headers, I needed to decrease the MTUs of both interfaces.