Todd Pearsall wrote:
I'm pretty sure I'm having fragmentation issues for packets sent overHave you tried:
the IPSEC tunnel. Regular internet traffic passes fine, downloads are
Ok, etc. Over the VPN, connections hand for anything except the
smallest changes.
For example:
- I can make an ftp connection, get directory lists, download tiny files
(a couple chars in a text file), but it hangs if I try to download a 2k
file.
- I can authenticate to a database using a query tool, but requesting a
table list hangs
- I can map a M$ share, but doing a "dir" hangs it.
At 1st I thought it might be strange hardware/memory issue, but I get
the exact same results using entirely different hardware.
Based on some reading I tried "testing" the mtu settings from my desktop
PC as follows:
ping -f -n 1 -l 1410 ip.add.re.ss
Using increasing values. To a non-ipsec tunneled address my max mtu
1464 and thru the vpn was 1410. If I understood the reading, I could
then add 28 to each value to get my max mtu (1492 and 1438 respectively)
With this new found "knowledge" I've been playing with the pppoe options
in /etc/ppp/peers/dsl-provider
pty "pppoe -I eth0 -T 80 -m 1400"
and near the bottom
mtu 1400
But to no avail. It sounds like I want to set the non-tunneled traffic
to 1492 and the tunneled to 1438, but so far I can't get anything going
over the VPN.
I also tried flipping the shorewall.conf CLAMPMSS=Yes, back to No, but
still no luck.
- Setting shorewall to clamp *ALL* traffic to the 1438 (smaller of the MTU sizes) with CLAMPMSS? This will marginally slow-down unencrypted traffic, but could get your VPN working.
- Setting the MTU on your internal system to 1438? This will also affect all traffic.
- Configured any appropriate path MTU discovery options on your VPN client systems, and verified your firewalls and VPN gateways are properly passing/generating ICMP messages regarding packet fragmentation? Many firewalls are setup to blindly drop ICMP messages, which breaks path MTU discovery. Since you're running over a VPN, you should be able to get path MTU to work properly, assuming you are running OSs that actually manage to implement TCP/IP properly (ie something other than Microsoft).
Additional note: It's probably not much help now, but if you're running M$ system traffic over your VPN (which it sounds like you plan to), be sure you apply the registry tweaks required for good performance on a high-bandwidth internet link. This increases the TCP window size, which helps M$ systems deal with high-latency networks. That's important for your VPN as well as for maximizing kazza download speed. :-)
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
