Charles Steinkuehler wrote > Using overridemtu may not be the best solution, but I think it should > work properly. While it doesn't look like it's possible to set > overridemtu on a per-connection basis, clamping *ALL* VPN > traffic to an > MTU that fits through the PPPoE links wouldn't be too bad. > If you can > get IPTables MSS clamping to work equally well, you should be able to > clamp the MTU on only those packets traveling to the > troublesome PPPoE > endpoint.
For the archives: In the end I was able to get rid of the ipsec.conf overridemtu option on the remote end and instead set the remote ends CLAMPMSS=Yes in shorewall.conf and traffic successful passes. I *think* this a better way to do it since all vpn packets won't be forced to that size. Thanks again Charles for pushing me to see it through, it turned into quite an educational experience. I would have never thought that the solution would be modifcations on the remote end since that end is happily using 4 vpn connections for ages now. I also just realized why the old rsa keys I as using would establish a connection, but the new ones I'm moving all vpns do wouldn't. The old keys were 1024bit, the new ones are 2048bit, so they are still getting dropped somewhere along the way. But I now have time to work that out since everything is up and running. Thanks again. - Todd ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
