Hi, I want to interconnect two distant OpenBSD 3.9 gateways using ipsecctl(8). Both gateways are connected with in-kernel pppoe(4). Both ipsec.conf(5) will use the default settings (esp, sha2-256 and aes-256). I don't use NFS.
I've hard time to figure the best configuration for pf's max-mss : - pppoe(4) man page recommends "scrub out on pppoe0 max-mss 1440", but that shouldn't include IPsec overhead (how much, by the way ?). - I didn't found mss recommendations in the relevant IPsec pages: vpn(8) ipsec.conf(5), ipsec(4), isakmpd.conf(5), ipsecctl(8) or isakmpd(8) - Naddy recommends "scrub in on enc0 all max-mss 1318" for an ipsecctl(8) setup http://archives.neohapsis.com/archives/openbsd/2006-01/1856.html but that may not account the pppoe overhead. So here my questions: - Why those two recommendations apply in the opposite way (scrub in and out) ? should I set the max-mss in both way ? I'm lost ... - Should I set a global max-mss for the pppoe(4) interface and a lower, specific one for the enc0 interface (1318 minus pppoe overhead) ? Like eg: scrub out on pppoe0 max-mss 1440 scrub in on enc0 all max-mss 1258 # 1318 (Naddy's) - 60 (pppoe header) - I also wonder what would be the correct setting for the "no-df" param: direction (scrub in no-df only ? scrub out too ?), interface to apply (all ?), should I add a "random-id" everytime ? Could the no-df packet alteration defeat IPsec ESP checksums ? My very wild guess is (is this correct for IPsec over PPPoE ?): scrub no-df random-id # so: in and out, all interfaces scrub out on pppoe0 max-mss 1440 no-df random-id # no-df bis needed ? scrub in on enc0 max-mss 1258 no-df random-id # idem ? Thanks
