--Bill
On 10/10/05,
Chris Buechler <[EMAIL PROTECTED]> wrote:
Fleming, John (ZeroChaos) wrote:
>I'm guessing we might need to do some mss fixup for ipsec tunnels.
>
>
and you'd be right. I'm not sure where it breaks down, but PMTUD is
b0rk over IPsec tunnels. Has always been an issue in m0n0wall. I've
looked at it some, but wasn't able to determine anything affirmatively
other than "it's broken". The MSS clamping in IPF in m0n0wall doesn't
differentiate betweeen internet traffic and VPN traffic, and hence
doesn't take into account the overhead of IPsec and doesn't solve the
problem.
The typical "solution" is to drop the MTU on LAN hosts until it works,
people usually set it at 1400 (as a number that works, should be able to
squeeze more than that). Depending on the characteristics of your
network traffic, this can have a measurable negative impact on network
performance, especially on the LAN with large data transfers.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
