Fleming, John (ZeroChaos) wrote:
I'm guessing we might need to do some mss fixup for ipsec tunnels.
and you'd be right. I'm not sure where it breaks down, but PMTUD is b0rk over IPsec tunnels. Has always been an issue in m0n0wall. I've looked at it some, but wasn't able to determine anything affirmatively other than "it's broken". The MSS clamping in IPF in m0n0wall doesn't differentiate betweeen internet traffic and VPN traffic, and hence doesn't take into account the overhead of IPsec and doesn't solve the problem. The typical "solution" is to drop the MTU on LAN hosts until it works, people usually set it at 1400 (as a number that works, should be able to squeeze more than that). Depending on the characteristics of your network traffic, this can have a measurable negative impact on network performance, especially on the LAN with large data transfers.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
