Menu
▾
▴
Re: WG: [Shorewall-users] proxyarp <--> OpenSwan VPN/Internet
|
From: Alexander W. <ale...@ad...> - 2006-02-07 14:32:27
|
Hi Mike, next time please read and follow the support guidelines. Between much unnecassary information I found this: > I am able to ping subnet 10.10.10.0/24 very well (best latency without > loss). > I am able to transfer DNS zone data very well. > I am able to transfer nagios passive checks very well. > I am not able to cp/cpio/rsync (nfs), sftp or else to subnet 10.10.10.0/24 > very well or let´s say I am able to transfer but within a few seconds my > bandwith goes down <100kbit/s and changes permanently to stalled. > > The connection is still alive but it will take one day to transfer 20MB?!. > > So this look like a MTU problem (Path MTU disovery doesn't work). This problem hits you when you transfer bigger IP packets. This is not so much shorewall related, but of course shorewall has a solution for you. In newer versions of shorewall you want to set the MSS by editing /etc/shorewall/zone to something like this: vpn0 ipsec mode=tunnel mss=1384 mss=1384 Play around with these incoming and outgoing values to find the best setup for your case. In older Versions of shorewall those settings were located in /etc/shorewall/ipsec file. I can't remember when the this change was introduced into shorewall. But you'll find out yourself by reading the comments on top of those files. HTH, Alex |