From owner-freebsd-net@FreeBSD.ORG Thu Dec 29 12:35:29 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 349FC16A41F for ; Thu, 29 Dec 2005 12:35:29 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from caine.easynet.fr (smarthost167.mail.easynet.fr [212.180.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id A76CC43D6B for ; Thu, 29 Dec 2005 12:35:28 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by caine.easynet.fr with esmtp (Exim 4.50) id 1Erx0B-0001ry-O9 for freebsd-net@freebsd.org; Thu, 29 Dec 2005 13:35:28 +0100 Received: by smtp.zeninc.net (smtpd, from userid 1000) id A33E43F17; Thu, 29 Dec 2005 13:35:21 +0100 (CET) Date: Thu, 29 Dec 2005 13:35:21 +0100 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20051229123521.GA1854@zen.inc> References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> <20051228153106.GA7041@uk.tiscali.com> <20051228164339.GB3875@zen.inc> <868xu5p2ze.fsf@srvbsdnanssv.interne.kisoft-services.com> <20051229121359.GA10949@uk.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051229121359.GA10949@uk.tiscali.com> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2005 12:35:29 -0000 On Thu, Dec 29, 2005 at 12:14:00PM +0000, Brian Candler wrote: > On Wed, Dec 28, 2005 at 06:04:37PM +0100, Eric Masson wrote: [....] > > ports/net/sl2tps > > I was rather surprised that I just got IPSEC tunnel mode working between > Windows XP and FreeBSD; and then afterwards I also got transport mode + L2TP > working using the Windows client and sl2tps. Zounds! Very interesting, I'll try that ASAP ! > There is a bug (arguably) in the ipsec-tools port, in that all useful > messages are logged at level 'daemon.info', but the default syslog.conf > discards these messages. Once that's fixed, debugging suddenly becomes a > whole lot easier :-) I've submitted a PR. Got the mail about the PR, but I curently can't see the PR itself (PR database busy). I'll handle it as soon as I'll get the real PR. [....] > Once up, I can happily ping through the L2TP tunnel and run short telnet > sessions but I can't view large web pages, which looks like an MTU issue. Yep, that is the most probable reason ! > As it happens this FreeBSD box is also acting as a NAT gateway using pf > (myhost is on a private IP) and actually its external IP is also private - > it sits behind a second NAT firewall. So maybe that's where the problem > originates, although I really can't understand where the value of 1380 comes > from. 1500 - (pppoe encapsulation ?) - ESP header - L2TP encapsulation.... And perhaps another extra UDP encapsulation may be considered, but I guess you probably don't have NAT-T support. Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com