Scott Ullrich wrote:
I access SQL, RDP and many other items through my ipsec tunnel and I
never change the MTU on the client. Thats a bad idea. The
solution is to find out why the packets are getting frag'd. Active
directory traffic does not work across my IPSEC tunnell but RDP and
friends surely do. I would say there is something else causing the
fragmentation.
I'm coming a bit late into this one, but it still seems to be outstanding.
Fragmentation isn't the issue at all. Modern OS's use PMTUD to discover
the largest MTU of the path, if it's less than their MTU. Racoon (or
FreeBSD, more likely) breaks PMTUD with IPsec because it doesn't take
the IPsec overhead into account. So packets end up larger than the 1500
or 1492 MTU on the WAN and just disappear. What should happen at that
point is pfsense should send back a "frag needed, DF bit set" message,
which causes the host to retry with a smaller MSS. Some commercial
VPN's (Cisco client in particular) will avoid this altogether because it
can be easier that way, by automatically fragmenting packets that are
too big. That's with the Cisco client VPN, their site to site VPN takes
IPsec overhead on PMTU into account appropriately.
OS's with PMTUD enabled by default (virtually everything in use today)
won't fragment packets, they'll set the DF bit on everything, expecting
the "frag needed, DF bit set" reply part of PMTUD to work. ICMP is an
exception to this, generally, in situations like with MS AD where it
needs a 2000 byte ICMP echo request and reply to determine link speed
(which is ridiculous, but regardless...). DF is generally not set by
default on ICMP (at least on Windows).
While this doesn't always happen, and doesn't happen to everyone, it's
most definitely an issue. Lowering the client MTU is the only way to
resolve it at this point. I don't know what the cause is, but it's an
issue as described above with both m0n0wall and pfsense.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]