Todd Pearsall wrote:
I had never considered the remote end. Just for grins I putWhile additional testing is required to figure out exactly what's going on, as mentioned before I suspect the problem is when return packets hit the PPPoE link with the don't fragment bit set. In all probability, the resulting ICMP errors don't make it out of your ISP's network, although they could be hitting the firewall on your FTP server end and getting blocked (I don't know how Shorewall handles ICMP traffic by default).
overridemtu=1200 on the remote end ipsec.conf and low and behold data
transfers!!!
I suspect I have patched the problem, but not addressed it. Does this
change any of the steps I should be doing to continue troubleshooting or
should I just tweak the remote overridemtu=1200 until I find the max
that works?
Regardless, with the smaller MTU forced on the remote end, your FTP server *IS* seeing the ICMP errors generated by your firewall, so Path MTU discovery works, and the FTP server correctly scales back it's transmit size (hypothetical at this point...still to be verified by packet sniffing).
Using overridemtu may not be the best solution, but I think it should work properly. While it doesn't look like it's possible to set overridemtu on a per-connection basis, clamping *ALL* VPN traffic to an MTU that fits through the PPPoE links wouldn't be too bad. If you can get IPTables MSS clamping to work equally well, you should be able to clamp the MTU on only those packets traveling to the troublesome PPPoE endpoint.
Thank you Charles for a huge chunk of your time!!!
Glad to help.
-- Charles Steinkuehler [EMAIL PROTECTED] ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
