On 2008/01/06 10:02, Max Hayden Chiz wrote: > Thank you very much for your swift reply. Using 'scrub on enc0 > max-mss 1310 no-df' immediately solved the problem. > > I have two questions though, since 1310 is smaller than needed, how > do I determine the correct setting to use after max-mss? I understand > that in theory I want to subtract the length of the extra IP header > and the ESP header from 1500, but I'm not sure what the length of an > ESP header is (since it looks like it is variable because of padding.)
I think this depends on the cipher used (and maybe also the data, I'm not sure). "ping -D -s <size> <host.on.the.other.side>", try varying sizes until you find one that just makes it through, add 8 (ICMP header) and subtract 20 (typical TCP header) and you get the usual value used for MSS (e.g. on ethernet the largest ping that arrives is 1472, 1460 is used as MSS). Start there for max-mss, if things still break then drop it by something small. Personally I couldn't be bothered, I'm quite happy to have a few more packet headers sent than strictly necessary for the sake of an easy life (and reducing the chance of having to touch it again if things change). :-) > Also, the pf.conf man page recommends using random-id with no-df. Is > that appropriate here? Yes, you're right, I haven't noticed a problem myself (and a glance at the fingerprint files in the p0f port suggests the condition this fixes isn't all that common) but this does make sense.
