Philipp Rusch wrote: > Tom Eastep schrieb: >> -SNIP- >> Have you tried my suggestion of configuring a single IPSEC zone? >> >> -Tom >> > Yes, I followed your suggestion and made only one zone for all the > 172.30.0.0/16 tunnels. > This works wonderful now and reduces restart times a lot. > BTW, our firewall is running SuSE 10.1 x86_64 . > So for now there is only one small thing left, that's the strange > behaviour about that > MTU size with 1350 bytes, which still is a myth to me. > Is it possible that my (rather small routers) can not find out about > MTU, because I am > blocking the type of ICMP-packets they need for discovering ? >
Specifying the mtu for ipsec zones is usually necessary in any configuration. It doesn't need to be *your* routers that are misconfigured -- it can be any router carrying traffic that is encrypted/decrypted by your firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
