From owner-freebsd-questions@FreeBSD.ORG Sat Nov 29 09:21:06 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B66616A4CE for ; Sat, 29 Nov 2003 09:21:06 -0800 (PST) Received: from silver.teardrop.org (silver.teardrop.org [66.150.202.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC96043F85 for ; Sat, 29 Nov 2003 09:21:05 -0800 (PST) (envelope-from snow@teardrop.org) Received: by silver.teardrop.org (Postfix, from userid 100) id 5A7BF26D92; Sat, 29 Nov 2003 12:21:05 -0500 (EST) Date: Sat, 29 Nov 2003 12:21:05 -0500 From: James Snow To: freebsd-questions@freebsd.org Message-ID: <20031129172105.GA4018@teardrop.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: WinXP/FreeBSD - IPSec Tunnel Over Wireless (MTU Problems?) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Nov 2003 17:21:06 -0000 At this point, my problem is more with XP than with FreeBSD, so this isn't really the proper forum for this question. But I figure I can't be the first person who's tried to do this, so maybe someone here can point me in the right direction. I have a 4.9-S box with a Netgear MA311 wireless card and a laptop running XP with a Netgear MA521. The 4.9-S box is connected to the Internet via DSL, and acting as a NAT'ing router for the other devices in my apartment, including the wireless interface. My goal was to encrypt all traffic passing between the laptop and the FreeBSD box, whether the traffic was destined for the router or for a host on the Internet. Since WEP has been shown to be of little value, I decided to do this via an IPSec tunnel. Through some amalgamation of guides found through Google, I actually got IPSec up and running between the laptop and the FreeBSD box. I'm still having a few small problems (the SA needs some prodding from both ends to come up) but those I'm sure I can figure out. tcpdump even confirms that all traffic is going over the tunnel; it sees only ISAKMP and ESP traffic. My principle problem is this: Loading web pages such as news.google.com hangs just about all network I/O. My SSH sessions hang, web pages will no longer load but, inexplicably, I can still ping anything local or remote. Eventually things will come back, but interactive sessions such as SSH are usually toast by then. Since web pages reliably manifest the problem, I figure it has to be an MTU issue. However, if it's an MTU issue, then large pings should also fail. But I can send pings with that even exceed the Ethernet MTU without issue. I've tried a couple different registry key settings for lowering the MTU, but no luck so far. Has anyone else set something like this up? Did you run into any problems like this? Did you find a solution? -Snow