From owner-freebsd-security Mon Jun 28 11:40: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 6145A15448 for ; Mon, 28 Jun 1999 11:39:52 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from ivy.ezo.net (ivy.ezo.net [206.150.211.171]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id OAA19159; Mon, 28 Jun 1999 14:39:38 -0400 (EDT) Message-ID: <001d01bec195$e90a3240$abd396ce@ezo.net> From: "Jim Flowers" To: "Josef Karthauser" , "Steven Kehlet" Cc: References: <19990628182551.T60952@pavilion.net> <19990628190458.U60952@pavilion.net> Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) Date: Mon, 28 Jun 1999 14:42:00 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I note SKIP implementation is designed to report a lower MTU to discovery requests to accomodate the additional header bits on incoming packets. Does IPSEC implementation have something similar and can it be configured? ----- Original Message ----- From: Josef Karthauser To: Steven Kehlet Cc: Sent: Monday, June 28, 1999 2:04 PM Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) > On Mon, Jun 28, 1999 at 10:54:46AM -0700, Steven Kehlet wrote: > > Thanks! for the reply. I tried just now turning down my mtu on both > > ends (to 1400) but the same thing happens. I'm wondering if changing > > the mtu on the interface is too late, i.e. the packet size reduction > > needs to be done earlier in the processing or something. I don't see > > any way to do this (though ipsecadm?) though. > > I had to changed the MTU on the 'tunnel' or 'VPN' interface, not on the > physical interface itself (The physical interface was an ethernet and was > fixed at 1500 anyway.) I'm sure that you've done that though. > > ...that said, I've just checked my config, and actually it is the other way > around. I had to turn the MTU up, to bring it back to 1500 bytes. Cisco > allow this and fragment though the tunnel transparently to avoid sending > must fragment bits back. > > I remember now.... the problem was that some sites on the net send packets > with 'don't fragment' bits set, but then ignore the 'must fragment' ICMP > packets that the tunnel was sending. Result: Broken MTU path discovery. > The _only_ way around the problem was to transparently fragment into two > packets and reassemble at the far end. > > I don't know whether this is your problem though. > > Joe > -- > Josef Karthauser FreeBSD: How many times have you booted today? > Technical Manager Viagra for your server (http://www.uk.freebsd.org) > Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message