Hello everyone,
Troubles again with <subject> ... let me explain the setup first:
LEAF/Bering box on PPPoE line at remote office. ppp0 MTU is 1492 - have tried overriding in dsl-provider, but to no avail (doesn't do anything?). ClampMSS is enabled in Shorewall.
Mandrake/Shorewall on regular Ethernet line at main office.
They communicate using FreeSWAN IPSEC and has a VPN connection running. I have added "overridemtu=1350" to make sure packet sizes aren't the problem.
Both firewall have "ACCEPT all all ICMP" as not to give problems with PMTU discovery.
DNAT is configured, so the external PPPoE interface IP forwards ssh-requests to an internal host across the VPN transparently. This is done with SNAT.
Observations: Pinging from an external IP-address to the PPPoE box works with packet sizes up to 1492 (ping -s 1464 x.x.x.x), but not with packet sizes over. I can't figure out why, but I suspect that ping sets the DF flag.
Ping does set the DF flag bit, so you're hitting the MTU limit of your PPPoE link.
Pinging internally via VPN works fine, no matter packet sizes, due to "overridemtu" in FreeSWAN.
Doing SCP from external address to the PPPoE firewall works fine (due to ClampMSS?).
Doing SCP from external address to the PPPoE SNAT port (which is forwarded to the remote host over VPN) halts, because large packets are dropped.
HEEEELP! :)
Not being able to ping with large packets from the internet I can live with. But the SNAT large packets problem I cannot live with.
Hope one of you gurus can help.
I don't have a clear picture of your network topology, but it seems like you're running into two different MTU problems. The limited MTU of your PPPoE link (which it sounds like you have solved), and the MTU of your IPSec link (which may or may not be going over the PPPoE connection for an additional "haircut"...that part isn't clear from the above).
It seems like packets from the internet that don't fit down your IPSec pipe aren't properly getting ICMP messages back to the sender (ie PMTU discovery is broken for the specific case of inbound PPPoE traffic that heads back out the IPSec link).
Provide a diagram of how your network is setup, and maybe I (or someone else) will have some ideas on how to get things working properly.
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
