Re: [Ipsec-tools-devel] IPsec, IP masquerading, and fragmented packets (Oh my!)
Brought to you by:
mit_warlord,
netbsd
From: Tom E. <te...@sh...> - 2005-03-28 03:27:41
|
Peter Johanson wrote: > > I have basically the same setup at home, using kame + shorewall for all > my stuff. I ran into the same problem as you, including slashdot not > loading, etc, etc. I solved this using ipt_DF > (http://mordor.strace.net/iptables/ (careful, russian i believe)). which > you can find discussed on a few ipsec related lists. Basically lets you > arbitrarilly scrub/set the DF bit on packets via iptables. Works well > here, although it may not be the most "elegant" solution. Required a > slight rework of the patch on that site, and two extra iptables rules, > and *poof* it worked. > When using Shorewall, this problem is addresses by the mss= specification in /etc/shorewall/ipsec. See my own config at http://shorewall.net/myfiles.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |