[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MTU and IPSec VPN's

To: "Christopher Gripp" <cgripp@axcelerant.com>
Subject: Re: MTU and IPSec VPN's
From: Derek Atkins <warlord@mit.edu>
Date: 13 Jun 2001 16:35:20 -0400
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: "Christopher Gripp"'s message of "Wed, 13 Jun 2001 13:06:47 -0700"
References: <4EBB5C35607E7F48B4AE162D956666EF338FC3@guam.corp.axcelerant.com>
Sender: owner-ipsec@lists.tislabs.com

The real problem are 'net sites that block all ICMP messages, which
means that they effectively disable pmtu discovery.

-derek

"Christopher Gripp" <cgripp@axcelerant.com> writes:

> When using various vendor implementations of IPSec (RedCreek and Cisco
> to name a couple) we have run across an issue where the MTU must be
> changed on the PCs and/or servers for certain traffic (Outlook/Exchange,
> certain WWW pages) to flow through the VPN.
> 
> The problem is with large datagrams that need to be fragmented for the
> IPSec overhead to be added.
> 
> Lowering the MTU on the PC, for instance, to ~1492 alleviates these
> issues.
> 
> However the proposition of hacking the registry of 10,000 windows
> machines is at best ugly.
> 
> Is there something in the vendor implementation that can be changed?  Is
> it an RFC compliancy issue?  Or is this strictly a system configuration
> issue with the nodes involved.

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: MTU and IPSec VPN's

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:

MTU and IPSec VPN's

From: "Christopher Gripp" <cgripp@axcelerant.com>

Prev by Date: Re: IPSEC Security Gateways & NAT
Next by Date: Re: [MSEC] Re: multicast authentication using AH
Prev by thread: MTU and IPSec VPN's
Next by thread: Re: MTU and IPSec VPN's
Index(es):
- Main
- Thread