[KLUG Members] IPSEC VPN Problem

[Bruce Smith]

> > > > Maybe the next time I feel masochistic, I'll try OpenSWAN...  :-O
> > > I think I'd rather create a sendmail.cf by hand!
> > OK, after becoming sufficiently annoyed by the hangs in the VPN, I
> > started looking at the OpenSWAN documentation on how to create a simple
> > net-to-net VPN.
> > And after becoming sufficiently annoyed with the OpenSWAN documentation
> > and one thing that didn't seem to work the way I thought it should, I
> > switched my focus back to fixing OpenVPN.   :-)
> 
> Oh, bummer, no presentation in IP SEC then?

Not by me.  Not in the foreseeable future anyway.   :-(

Probably not even if I got it to work, since that would most likely be
nothing but trial & error (and/or luck).

> > To quote the man page:  "MTU problems often manifest themselves as
> > connections which hang during periods of active usage.  It's best to use
> > the --fragment and/or --mssfix options to deal with MTU sizing issues."
> 
> Ah,  I've set my fragment and mssfix much lower since a small MTU/MRU
> helps things like telnet & ssh from getting stomped down during a file
> transfer.  I like a fragment size of 512 on OpenVPN and 296 on PPTP. 

Yeah, I used to do that on dialup, but it doesn't seem to be that much
of a problem any longer with 3M broadband.   :-)

> Maybe someone should to a QoS presentation?!  

Sounds good, I'll be there for that one! 

> I know Linux can do
> various QoS methods but I've only implemented QoS on Cisco (well, I did
> it on Nortel too, but like most things on Nortel routers it didn't
> actually work).  Traffic prioritization over VPNs would be nice thing.

I haven't done hardly anything with QoS, other than a couple iptables
lines that I "borrowed" from someone else's config.

 - BS