From: Brian A. S. <lav...@sp...> - 2006-09-14 17:18:12
|
Packet Scrubbing may be causing problems. Also some old pf(4) needed: pass out quick on $ext inet proto esp from $foo to $bar keep state ~BAS On Mon, 4 Sep 2006, VANHULLEBUS Yvan wrote: > On Tue, Aug 29, 2006 at 02:19:09PM -0500, lk...@de... wrote: >> Hi guys, >> >> First the network I'm working on is like so: >> >> >> -----> tun0 [server1|freebsd6|racoon] xl0 <- switch -> [server2]freebsd6] >> a.b.c.d 192.168.0.1 192.168.0.201 [def gw: 192.168.01] >> >> VPN clients connect to a.b.c.d and sit on 192.168.5.0/24. >> All services on server1 are accessible to the VPN clients >> but there are some issues with the connections to server2. >> >> For example, VPN users can SSH to the .201 without problems. >> Though connecting to web on .201:8080 hangs. I can see the state >> created in the PF state table and I can see packets moving forward >> with tcp-dump, but the connection timeouts at some point. > > Wild guess: try to lower your TCP MSS (for example on the box which > runs PF, so it will be done for all sessions) to avoid IPSec > fragmented packets. > > > Yvan. > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Ipsec-tools-users mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "...from back in the heady days when "helpdesk" meant nothing, "diskquota" meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were." |