Date: Mon, 28 Jun 1999 14:42:00 -0400 From: "Jim Flowers" <jflowers@ezo.net> To: "Josef Karthauser" <joe@pavilion.net>, "Steven Kehlet" <kehlet@techfuel.com> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) Message-ID: <001d01bec195$e90a3240$abd396ce@ezo.net> References: <19990628182551.T60952@pavilion.net> <Pine.LNX.4.10.9906281051080.781-100000@phoenix.techfuel.com> <19990628190458.U60952@pavilion.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I note SKIP implementation is designed to report a lower MTU to discovery requests to accomodate the additional header bits on incoming packets. Does IPSEC implementation have something similar and can it be configured? ----- Original Message ----- From: Josef Karthauser <joe@pavilion.net> To: Steven Kehlet <kehlet@techfuel.com> Cc: <freebsd-security@FreeBSD.ORG> Sent: Monday, June 28, 1999 2:04 PM Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) > On Mon, Jun 28, 1999 at 10:54:46AM -0700, Steven Kehlet wrote: > > Thanks! for the reply. I tried just now turning down my mtu on both > > ends (to 1400) but the same thing happens. I'm wondering if changing > > the mtu on the interface is too late, i.e. the packet size reduction > > needs to be done earlier in the processing or something. I don't see > > any way to do this (though ipsecadm?) though. > > I had to changed the MTU on the 'tunnel' or 'VPN' interface, not on the > physical interface itself (The physical interface was an ethernet and was > fixed at 1500 anyway.) I'm sure that you've done that though. > > ...that said, I've just checked my config, and actually it is the other way > around. I had to turn the MTU up, to bring it back to 1500 bytes. Cisco > allow this and fragment though the tunnel transparently to avoid sending > must fragment bits back. > > I remember now.... the problem was that some sites on the net send packets > with 'don't fragment' bits set, but then ignore the 'must fragment' ICMP > packets that the tunnel was sending. Result: Broken MTU path discovery. > The _only_ way around the problem was to transparently fragment into two > packets and reassemble at the far end. > > I don't know whether this is your problem though. > > Joe > -- > Josef Karthauser FreeBSD: How many times have you booted today? > Technical Manager Viagra for your server (http://www.uk.freebsd.org) > Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001d01bec195$e90a3240$abd396ce>