[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec, nat and mtu problem in 3.1
On Fri, Jun 14, 2002 at 06:41:39PM -0700, Tor Roberts wrote:
> The problem is that when you go to certain web sites from network
> 192.168.6.0, they send back packets that when combined with the overhead
> of the ipsec tunnel, exceed the mtu of 1500 on the network. Router A will
> then send an icmp message "unreachable - need to frag (mtu 1428)" to the
> web server. It seems like lots of people like to block icmp packets at
> their firewalls, so the packets don't get fragged, and the site becomes
NAT doesn't change the packet size.
Solution 1: disable path mtu discovery on router A, you will get
fragmented packets. Remember that fragmented packets are bad when you
start to have packet drops.
#net.inet.ip.mtudisc=0 # 0=disable tcp mtu discovery
Solution 2: change the default MSS on all the stations in
192.168.6.0/24 to something suitable for your setup.
Solution 3: add code in PF which fix the MSS on outgoing TCP
requests. The code and basic idea is in /usr/sbin/ppp, search the man
page and the source code for 'mss-fixup' or something like that.