[KLUG Members] IPSEC VPN Problem

[Adam Tauno Williams]

> > > Maybe the next time I feel masochistic, I'll try OpenSWAN...  :-O
> > I think I'd rather create a sendmail.cf by hand!
> OK, after becoming sufficiently annoyed by the hangs in the VPN, I
> started looking at the OpenSWAN documentation on how to create a simple
> net-to-net VPN.
> And after becoming sufficiently annoyed with the OpenSWAN documentation
> and one thing that didn't seem to work the way I thought it should, I
> switched my focus back to fixing OpenVPN.   :-)

Oh, bummer, no presentation in IP SEC then?

> To quote the man page:  "MTU problems often manifest themselves as
> connections which hang during periods of active usage.  It's best to use
> the --fragment and/or --mssfix options to deal with MTU sizing issues."

Ah,  I've set my fragment and mssfix much lower since a small MTU/MRU
helps things like telnet & ssh from getting stomped down during a file
transfer.  I like a fragment size of 512 on OpenVPN and 296 on PPTP. 

Maybe someone should to a QoS presentation?!  I know Linux can do
various QoS methods but I've only implemented QoS on Cisco (well, I did
it on Nortel too, but like most things on Nortel routers it didn't
actually work).  Traffic prioritization over VPNs would be nice thing.

> So I added both a fragment and mssfix line in my openvpn.conf file, with
> values slightly lower than the default MTU, and the problem _appears_ to
> be fixed now, although I may have to lower the fragment/mssfix values
> slightly more if I run into any more problems.  To quote the FAQ:
> "Common values to try for mssfix/fragment: 1200, 1300, or 1400."
> I'm trying 1400, but may need to lower to 1300 or 1200.  Time will tell!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20050305/89d7f2ee/attachment.bin