[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MTU and IPSec VPN's
The real problem are 'net sites that block all ICMP messages, which
means that they effectively disable pmtu discovery.
-derek
"Christopher Gripp" <cgripp@axcelerant.com> writes:
> When using various vendor implementations of IPSec (RedCreek and Cisco
> to name a couple) we have run across an issue where the MTU must be
> changed on the PCs and/or servers for certain traffic (Outlook/Exchange,
> certain WWW pages) to flow through the VPN.
>
> The problem is with large datagrams that need to be fragmented for the
> IPSec overhead to be added.
>
> Lowering the MTU on the PC, for instance, to ~1492 alleviates these
> issues.
>
> However the proposition of hacking the registry of 10,000 windows
> machines is at best ugly.
>
> Is there something in the vendor implementation that can be changed? Is
> it an RFC compliancy issue? Or is this strictly a system configuration
> issue with the nodes involved.
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups:
References: