Date: Fri, 8 Dec 2000 14:07:13 -0500 From: "Patrick Bihan-Faou" <patrick@netzuno.com> To: <vdrifter@ocis.ocis.net> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: pipsecd+ipfw fwd Message-ID: <POEDLEGGIEKJJIOGHEJNGEJNCDAA.patrick@netzuno.com>
next in thread | raw e-mail | index | archive | help
Hi, It sounds to me that you would be better served by configuring the IP routing tables rather than doing this with ipfw fwd rules. Also for the PMTU problem, tcpmssd (from the ports) can help you there. The issue is no different that the one experience by PPPoE users. The reason why you want to reduce the MTU of the IPSec link is that IPSec headers take some space. If you leave the MTU as 1500, the resulting IPSec packets may need to be fragmented and that will not help the performance of your link. Patrick. "John F Cuzzola" <vdrifter@ocis.ocis.net> wrote in message news:<Pine.LNX.4.21.0012072358260.27161-100000@ocis.ocis.net>... > Hello all, > I'm using pipsecd from the ports collection and it seems to do the job > (for my purposes anyway). I've noticed however that when configuring the > tunnel device the author recommends a MTU of 1440. Recently I added a > firewall rule like: > > ipfw add fwd <virtual ip address of tunnel> ip from <private net> to any > > to force the next hop through the tunnel. Well it didn't work, it did for > small amounts of data but not larger ones which lead me to suspect a path > MTU discovery problem. I reconfigured the tunnel device for a MTU of 1500 > and it works great. My question is when using ipfw fwd what happens if the > size of the packet exceeds the MTU of the device? When IPFW FWDing does > ICMP 3.4 messages get sent back for large packets whos dont fragment > bit is set? or does that packet just get dropped? It > would appear the icmp 3.4 message doesn't get sent back but that could be > because of the pipsecd port. > > Kindof curious & thanks, > John > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?POEDLEGGIEKJJIOGHEJNGEJNCDAA.patrick>