Thinking about this, I think the only way to reliably fix the
problem is
to use the overridemtu setting in FreeS/WAN (so path mtu
discovery works
properly from the internal network's perspective), or to
manually force
the maximum MTU to a value smaller than 1500 on all affected
Todd Pearsall wrote:
Thinking about this, I think the only way to reliably fix the
problem is
to use the overridemtu setting in FreeS/WAN (so path mtu
discovery works
properly from the internal network's perspective), or to
manually force
the maximum MTU to a value smaller than 1500 on all
Charles S. wrote:
I understand your logic, but what are you doing that kills the
connection? You should be able to play with IPSec tunnels
all day long
w/o messing up the main external uplink...
Some of the changes I tried were tweaking the CLAMPMSS in shorewall and
CLAMPMSS and mtu
On Thursday 13 February 2003 08:15 am, Todd Pearsall wrote:
- I successfully mapped a Windoze share (champagne corks flew), but it
would hang when I tried to get a directory listing
- I tired to view a web site on the distant end and the browser resolved
it and loaded part of the page, but
Ok, let's look at the base of you connection.
The remote end works flawlessly when connecting to your
subnet, correct?
Yup
On your subnet, you can map a share but transfers generally
bomb out, correct?
The local end can map a share, but transfers hang. Ftp connect,
transfers hang, etc.
On Thursday 13 February 2003 10:58 am, Todd Pearsall wrote:
I'll bet my desktop that your running Win2k/XP Pro/Server on
the local end
AND not on the remote end. If so, you can thank Bill G. for
breaking the DNS
and WINS rfc's for your problem.The integration of these two
services in
Todd Pearsall wrote:
You're close, except it's Windoze at both ends.
Doesn't work: Local WinXP to Remote WinNT Server
Works: Remote WinXP to Local Win2000 Server
Check into this at some of the MS FAQ sites. I think there are some
issues when connecting XP to NT4 servers (XP machines can't be
Todd Pearsall [EMAIL PROTECTED] schrieb:
Another note I wanted to repeat just in case it was important and
overlooked in my 1st message of this lengthy thread. When I restart
PPPoE (locally), in the course of the connection establishing I get
messages to the effect of Cant't increase MTU to
On Thu, 2003-02-13 at 09:35, Charles Steinkuehler wrote:
Todd Pearsall wrote:
You're close, except it's Windoze at both ends.
Doesn't work: Local WinXP to Remote WinNT Server
Works: Remote WinXP to Local Win2000 Server
Check into this at some of the MS FAQ sites. I think there are some
Check into this at some of the MS FAQ sites. I think there are some
issues when connecting XP to NT4 servers (XP machines can't
be added to
NT domains or something like that)...part of the MS forced upgrade
strategy. IIRC, you can get it to work, but you have to be
very careful
On Thursday 13 February 2003 01:44 pm, Todd Pearsall wrote:
Once I get any traffic moving I'm better prepared to fight the MS stuff.
That's why I'm using ftp as my test (how bad can M$ mess that up?)
Real bad if your using a Win2K/XP Pro workstation. When 2K first came out
I added a couple of
Below are tcpdumps from the eth1 and then the ipsec0 interfaces. Any
help in making some sense would be great. Let me know if other options,
test, etc. would be more useful. If it gets too wrapped in e-mail I can
make it available on the web.
Thanks.
- Todd
User on the local end makes a FTP
Todd Pearsall wrote:
Once I get any traffic moving I'm better prepared to fight the MS stuff.
That's why I'm using ftp as my test (how bad can M$ mess that up?)
Now there's a baited question. I'll keep my response civil, and point
out that that's what your traffic sniffer is for. :)
BTW:
A couple more detailsOn the local end I've used 3 different machines
(my XP laptop that works over the VPN from any of the other locations,
local XP laptop that belongs to one of the folks at the local site,
local end W2K server) so I don't *think* it's a local machine issue.
The totally
Todd Pearsall wrote:
Below are tcpdumps from the eth1 and then the ipsec0 interfaces. Any
help in making some sense would be great. Let me know if other options,
test, etc. would be more useful. If it gets too wrapped in e-mail I can
make it available on the web.
It's not too hard to piece
PROTECTED]
Subject: Re: [leaf-user] PPPoE, IPSec and MTU size problems
Todd Pearsall wrote:
Below are tcpdumps from the eth1 and then the ipsec0
interfaces. Any
help in making some sense would be great. Let me know if
other options,
test, etc. would be more useful. If it gets too
Todd Pearsall wrote:
I had never considered the remote end. Just for grins I put
overridemtu=1200 on the remote end ipsec.conf and low and behold data
transfers!!!
I suspect I have patched the problem, but not addressed it. Does this
change any of the steps I should be doing to continue
Charles Steinkuehler wrote
Using overridemtu may not be the best solution, but I think it should
work properly. While it doesn't look like it's possible to set
overridemtu on a per-connection basis, clamping *ALL* VPN
traffic to an
MTU that fits through the PPPoE links wouldn't be too
Todd Pearsall wrote:
Charles Steinkuehler wrote
Using overridemtu may not be the best solution, but I think it should
work properly. While it doesn't look like it's possible to set
overridemtu on a per-connection basis, clamping *ALL* VPN
traffic to an
MTU that fits through the PPPoE links
The saga continues...
I tried a couple things based on help from Charles S. (some day I want
my 1st name and last initial to be all I need to be recognized ;)) and
some of the folks on the FreeSWAN list.
Here's what I tried individually with reboots in between to be sure:
In Shorewall Config
Todd Pearsall wrote:
The saga continues...
I tried a couple things based on help from Charles S. (some day I want
my 1st name and last initial to be all I need to be recognized ;)) and
some of the folks on the FreeSWAN list.
Here's what I tried individually with reboots in between to be sure:
Have you tried changing the MTU on your internal machines, and/or
sniffing the traffic to see what it looks like?
I haven't tired changing the MTU of the internal machines. The office
is one of our consulting offices so our folks from other offices are
frequently roaming through with laptops.
Todd Pearsall wrote:
Have you tried changing the MTU on your internal machines, and/or
sniffing the traffic to see what it looks like?
I haven't tired changing the MTU of the internal machines. The office
is one of our consulting offices so our folks from other offices are
frequently roaming
I'll try the tcpdump, thanks for the recommendations.
I was on the phone with Netopia (the current router I put in bridging
mode is a Cayman/Netopia) to see if there were any VPN add-ons I could
buy for the Cayman so it could support the roadwarrior and gateway VPNs
I need. Unfortunately there
Todd Pearsall wrote:
I'll try the tcpdump, thanks for the recommendations.
I was on the phone with Netopia (the current router I put in bridging
mode is a Cayman/Netopia) to see if there were any VPN add-ons I could
buy for the Cayman so it could support the roadwarrior and gateway VPNs
I
Todd Pearsall wrote:
I'm pretty sure I'm having fragmentation issues for packets sent over
the IPSEC tunnel. Regular internet traffic passes fine, downloads are
Ok, etc. Over the VPN, connections hand for anything except the
smallest changes.
For example:
- I can make an ftp connection, get
Todd;
don't know if you have seen this one:
http://www.freeswan.ca/docs/freeswan-1.99/doc/faq.html#pmtu.broken
kp
Am Freitag, 31. Januar 2003 03:55 schrieb Todd Pearsall:
I'm pretty sure I'm having fragmentation issues for packets sent over
the IPSEC tunnel. Regular internet traffic passes
I'm pretty sure I'm having fragmentation issues for packets sent over
the IPSEC tunnel. Regular internet traffic passes fine, downloads are
Ok, etc. Over the VPN, connections hand for anything except the
smallest changes.
For example:
- I can make an ftp connection, get directory lists,
On Thursday 30 January 2003 08:55 pm, you wrote:
snip
I thought somewhere along the way I read that I didn't need to worry
about the Couldn't increase MTU to 1500 warnings. Since it works fine
for non-vpn traffic I didn't worry about it (until now).
snip
Any help would be greatly appreciated,
29 matches
Mail list logo
