Re: ipsec tunnels & packet length issues

2003-10-31 Thread Eric Masson
> "Lars" == Lars Eggert <[EMAIL PROTECTED]> writes: Hello Lars, Lars> See the section on PMTU discovery in draft-touch-ipsec-vpn-06. If Lars> the requirements of your setup allow is, IPIP gif tunnels Lars> together with IPsec transport mode (as described in the ID) can Lars> address this

Re: ipsec tunnels & packet length issues

2003-10-29 Thread Lars Eggert
Eric Masson wrote: If i reduce lan interface mtu on "Host" to approximately 1450, the tunnel works fine, so it seems that "Tunnel Endpoint" can't process correctly packets with a size of 1500 bytes. If more information regarding this issue is needed, just ask. Is this a known issue ? Except playin

Re: ipsec tunnels & packet length issues

2003-10-29 Thread Company 2210
003 9:04 AM Subject: Re: ipsec tunnels & packet length issues > Eric Masson: > >>>>>> "Michael" == Michael Sierchio <[EMAIL PROTECTED]> writes: > > > > Michael> You should allow for an IP header with options and the ESP > > Michael>

Re: ipsec tunnels & packet length issues

2003-10-29 Thread Eric Masson
> "Helge" == Helge Oldach <[EMAIL PROTECTED]> writes: Hello Helge, Helge> Actually this is the case. I'd like... Helge> Or better, it *should* be happening - Helge> I don't know if you see the ICMPs or not. Nope no "message too long" icmp packet returned to originator (nothing in tcpdum

Re: ipsec tunnels & packet length issues

2003-10-29 Thread Helge Oldach
Eric Masson: >> "Michael" == Michael Sierchio <[EMAIL PROTECTED]> writes: > > Michael> You should allow for an IP header with options and the ESP > Michael> header, which is smaller than 1450. For SKIP I use 1366 as the > Michael> advertised MTU, and for IPsec usually 1436, unless I need to > M

Re: ipsec tunnels & packet length issues

2003-10-28 Thread Eric Masson
> "Michael" == Michael Sierchio <[EMAIL PROTECTED]> writes: Michael> You should allow for an IP header with options and the ESP Michael> header, which is smaller than 1450. For SKIP I use 1366 as the Michael> advertised MTU, and for IPsec usually 1436, unless I need to Michael> accomodate

Re: ipsec tunnels & packet length issues

2003-10-24 Thread Michael Sierchio
Eric Masson wrote: If i reduce lan interface mtu on "Host" to approximately 1450, the tunnel works fine, so it seems that "Tunnel Endpoint" can't process correctly packets with a size of 1500 bytes. You should allow for an IP header with options and the ESP header, which is smaller than 1450. Fo

ipsec tunnels & packet length issues

2003-10-24 Thread Eric Masson
Hello, I'm facing a problem with the following setup : +-+ DMZ ++ LAN +--+ Internet -+ Tunnel Endpoint +-+ Fw +-+ Host | +-+ ++ +--+ "Tunnel Endpoint" : FreeBSD 4.8-RELEASE with fast