News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Bug Reports  >  No feedback
linktree Topic: Fragments fail through IPSec VPN [Large Packets, Fragment]
Pages: [1]
Topic: Fragments fail through IPSec VPN [Large Packets, Fragment]  (Read 6745 times)
« on: January 22, 2009, 14:35:10 »
neik *
Posts: 6
I have two monowalls connected via a IPSec VPN (on a LAN). Large packets eg "ping -l 2048" on windows, do not reliably work.

This line from syslog shows the (part of?) first packet of a 4 packet ping being blocked by the local firewall even through of course the default LAN rule is in place.  The first ping failed, the next three worked ok. Sometimes I can do serveral bursts of a 100 pings, sometimes not.

This is a 1.3b15 monowall sending the pings. 1.235 seems much worse.

I have turned on _every_ option for large fragments (ie advanced options and each rule).

ipmon[128]: 21:55:11.649191 vr0 @100:2 b 192.168.122.199 -> 192.168.1.1 PR icmp len 20 (596) (frag 10678:576@1480) IN

Sometimes 4096 byte pings work better than 2048 byte pings
« Reply #1 on: May 12, 2009, 01:57:31 »
brushedmoss ****
Posts: 446
the first ping failing maybe while the SA's establish.

wrt to random packets failing with large packets, this may be your isp's paths, maybe some packets are going different paths, and one of these paths has a problem  with pmtu ?

set the mtu at both ends lower and see what happens
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines