[Solved] Re: IPsec issue
bsdaemon at comcast.net
Tue Jan 25 12:42:47 PST 2005
Kris Maglione wrote:
> I secure my wireless network with IPsec. The rules are generated with
> a perl script (included below) with a rule for each ip in the range
> 192.168.1.3-192.168.1.254 (.2 is my AP). The key exchange is handled
> by racoon and works without issue. I have "allow ip from any to any"
> as my first ipfw rule when on this network. My firewall allows DHCP
> and ISAKMP traffic unencrypted and allows only esp traffic otherwise.
> My problem is that certain websites tend not to work. I can look them
> up and make a connection, but I get no incoming packets, although on
> occasion they do work. Google is one such site. Also, it seems that
> images don't always load for any site. Neither firewall is blocking
> the traffic. When I make an OpenVPN link over the connection (it's
> easier than disabling IPsec, since it's already setup for when I'm
> away from home), the same websites work fine.
The problem turned out to be that with the overhead of the IPsec
headers, I needed to decrease the MTUs of both interfaces.
More information about the freebsd-questions