"Shannon B. Roddy" <[EMAIL PROTECTED]> writes: I'm thinking MTU or don't fragment settings on your internet facing connection. IPSEC adds some overhead to your packet headers that can cause large frames. You may also have to unset don't-fragment scrub options in your pf firewall (ie scrub no-df).
Search for "openbsd ipsec mtu" on google and let us know what the outcome was. > This is the problem that I was describing last night at the Perks meeting. > > Shannon > > -------- Original Message -------- > Subject: [OIC] Weird problem --> OpenBSD 3.1 & IPsec > Date: Tue, 26 Aug 2003 18:51:12 -0500 > From: Shannon Roddy <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > > > > Hello, > > I have an odd problem that I am not sure if it is or is not related to > my OpenBSD vpn. I have four remote sites that are connected via a set > of manually keyed OpenBSD 3.1 machines. Below is what the topology > looks like: > > > |I > 10.11/16 -----VPN Box A-------------|N > |T > |E > 10.12/16 -----VPN Box B-------------|R > |N > |E > 10.13/16 -----VPN box C-------------|T > | > | > 10.14/16 -\ /-------| > 10.15/16 -->- VPN box D---<---------| > 10.16/16 -/ \-------| > > > The vpn box with three internal networks has also three external > internet addresses. There are only two physical network interfaces, > the addresses are done through aliases. The problem is that all > communication works fine for all networks except outbound large file > transfers from the 10.14, 15, and 16 networks. I can copy a 40 MB > file from any vpn to any vpn. I can also copy from any network _TO_ > 10.14, 15, and 16. I cannot copy from 10.14, 15, 16 to any vpn or any > internal machine on 10.11, 12, or 13. I CAN however copy _SMALL_ > (approximately 8k was tested) files from 10.14, 15, 16. > > So, anytime I try to copy a large file from 10.14.0.11 to 10.11.0.10 > for instance, it stalls at 36864 bytes. It stalls at the same number > of bytes EVERY time. Note also, that on a Solaris box it stalls at > 49152 bytes and on a Linux box it stalls at 36864. I know that the > tunnels are functional bcause I can interactively ssh to and from the > network and machines in question. Also ping, traceroute, etc. etc. > > I am at a loss here... Any suggestions would be much appreciated. > > Thanks in advance, > Shannon Roddy > > _______________________________________________ > OpenBSD-IPsec-Clients mailing list > [EMAIL PROTECTED] > http://www.allard.nu/mailman/listinfo/openbsd-ipsec-clients > > > > _______________________________________________ > General mailing list > [email protected] > http://brlug.net/mailman/listinfo/general_brlug.net > -- Scott Harney<[EMAIL PROTECTED]> "...and one script to rule them all." gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
