VPN

Hi!

I have a serious issue with a site to site ipsec vpn (monowall both sides), The tunnel is up and running but its is Extremly slow... If i change the MTU size on a client behind one of the firewalls to 1400 it works like a charm. Why is the option of setting the MTU in Monowall gone? any purpose for it? The version iam running on both sides is the Wrap 1.3b14

Any suggestion any one?

Best Regards
Fabian Aguirre

Plz any 1 out there that might have a clue?

Either the WAN connection doesn't support the normal IP MTU of 1500 bytes for Ethernet networks, or something (firewall, router, ISP, ...) along the way between the two m0n0walls blocks fragmented ESP packets.

In the latter case, you should find out what drops ESP fragments; in the former case, you could try adjusting the MTU of m0n0wall's WAN interface through /exec.php:

/sbin/ifconfig xxx0 mtu 1400

(replacing xxx0 with the BSD name of the WAN interface). If that helps, you can make it stick by adding it in a <shellcmd> tag inside the <system> section of config.xml. Note that it could also make things worse for normal (i.e. non-IPsec) traffic if WAN MTU size is not really the reason.

The WAN MTU setting was removed because the way it worked in earlier versions (applying MSS clamping even for non-PPP connections) was based on an ugly kernel hack and can no longer be supported in FreeBSD 6.