News: This forum is now permanently frozen.
Pages: [1]
Topic: Fragments fail through IPSec VPN [Large Packets, Fragment]  (Read 6745 times)
« on: January 22, 2009, 14:35:10 »
neik *
Posts: 6

I have two monowalls connected via a IPSec VPN (on a LAN). Large packets eg "ping -l 2048" on windows, do not reliably work.

This line from syslog shows the (part of?) first packet of a 4 packet ping being blocked by the local firewall even through of course the default LAN rule is in place.  The first ping failed, the next three worked ok. Sometimes I can do serveral bursts of a 100 pings, sometimes not.

This is a 1.3b15 monowall sending the pings. 1.235 seems much worse.

I have turned on _every_ option for large fragments (ie advanced options and each rule).

ipmon[128]: 21:55:11.649191 vr0 @100:2 b -> PR icmp len 20 (596) (frag 10678:576@1480) IN

Sometimes 4096 byte pings work better than 2048 byte pings
« Reply #1 on: May 12, 2009, 01:57:31 »
brushedmoss ****
Posts: 446

the first ping failing maybe while the SA's establish.

wrt to random packets failing with large packets, this may be your isp's paths, maybe some packets are going different paths, and one of these paths has a problem  with pmtu ?

set the mtu at both ends lower and see what happens
Pages: [1]
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines