From owner-freebsd-security Mon Jun 28 11: 5:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 7C1E315413 for ; Mon, 28 Jun 1999 11:05:01 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.2/8.8.8) id TAA18138; Mon, 28 Jun 1999 19:04:58 +0100 (BST) (envelope-from joe) Date: Mon, 28 Jun 1999 19:04:58 +0100 From: Josef Karthauser To: Steven Kehlet Cc: freebsd-security@FreeBSD.ORG Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) Message-ID: <19990628190458.U60952@pavilion.net> References: <19990628182551.T60952@pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Steven Kehlet on Mon, Jun 28, 1999 at 10:54:46AM -0700 X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 28, 1999 at 10:54:46AM -0700, Steven Kehlet wrote: > Thanks! for the reply. I tried just now turning down my mtu on both > ends (to 1400) but the same thing happens. I'm wondering if changing > the mtu on the interface is too late, i.e. the packet size reduction > needs to be done earlier in the processing or something. I don't see > any way to do this (though ipsecadm?) though. I had to changed the MTU on the 'tunnel' or 'VPN' interface, not on the physical interface itself (The physical interface was an ethernet and was fixed at 1500 anyway.) I'm sure that you've done that though. ...that said, I've just checked my config, and actually it is the other way around. I had to turn the MTU up, to bring it back to 1500 bytes. Cisco allow this and fragment though the tunnel transparently to avoid sending must fragment bits back. I remember now.... the problem was that some sites on the net send packets with 'don't fragment' bits set, but then ignore the 'must fragment' ICMP packets that the tunnel was sending. Result: Broken MTU path discovery. The _only_ way around the problem was to transparently fragment into two packets and reassemble at the far end. I don't know whether this is your problem though. Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message