[LARTC] problem with fragmenting (mtu/mss)

[Tomas Bonnedahl <tomas@yes.nu>]

i have a setup that looks like this

LAN <--> router <--> fw <--> internet

both the router and the fw is slackware with 2.4.5, the fw also has
ipsec tunnels using the freeswan software.

the problem is that the fw is continuously hanging when sending too large
packets through the tunnel, even a frame over 1400 bytes gets the fw to hang.
(which it shouldnt, 40 bytes overhead for the ip and tcp header, and perhaps 20
bytes for the ESP header).

i have run out of options now, that's way im interested to hear your ideas.

the different areas that i have tried to search for a solution for this problem is;
1. changing the mtu on the router to 1300 to send packets (fragmented with a small size) 
to the fw and let it encrypt them
2. using iptables on the router to set the mss on the syn packets travelling _from_ the 
ipsec network to our lan (making our clients think that it has to have that mss to send) to 
everything from 500 to 1440 on the router.

an interactive session is able to go through the tunnel since those packets are
relativly small (40-100 bytes / packet), but using ftp to upload from our lan is
impossible.

anyone has a clue what could cause this problem on the fw, i would feel "better" if
the packets just were not sent, or perhaps that the ipsec software crashed, but this..
wtf?

tomas bonnedahl
network administrator
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/