Thank you very much for your swift reply. Using 'scrub on enc0
max-mss 1310 no-df' immediately solved the problem.
I have two questions though, since 1310 is smaller than needed, how
do I determine the correct setting to use after max-mss? I understand
that in theory I want to subtract the length of the extra IP header
and the ESP header from 1500, but I'm not sure what the length of an
ESP header is (since it looks like it is variable because of padding.)
Also, the pf.conf man page recommends using random-id with no-df. Is
that appropriate here?
Thank you again for all your help.
--MHC
On 1/6/08, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2008/01/06 03:10, Max Hayden Chiz wrote:
> > But, loading very complex websites (yahoo, YouTube) takes so long that
> > the HTTP connection will reset before the browser is done. I can't
> > figure out why this is happening and didn't find anything similar when
> > I searched the archives.
>
> Sounds like it could be MTU problems. With IPsec you don't have the
> usual 1500-byte MTU from a normal ethernet interface, it's smaller
> because of the additional headers.
>
> > set skip on {lo enc0}
> > scrub in
>
> I would remove enc0 from 'set skip' (you'll need a pass rule in its
> place) and then try something like 'scrub on enc0 max-mss 1310 no-df'
> (iirc, this comes after the other scrub rule). 1310 is smaller than
> you're actually likely to need but should work.
