Hai, thanks fo your reply,
I did some checking and found that the DSL modem, provided by the ISP, had a setting of 1400 MTU vs 1500. So, I set that to 1500 instead...via ifconfig -a the nics (2 per machine) are set to default, also 1500. When I do a ping -D -s 1464 <host> from a random internet machine, towards the external nic from the remote BSD machine, it works fine (MTU 1500 MRU 1492 is differance of 8, hence the 1464 max) But when I do the ping from the machine that makes the VPN tunnel with that remote system, I only can go until 1330 that is, ping -D -s 1330 <host> (+8 makes 1338 bytes). the MTU on the enc0 virtual nic is 1536 (on both sides)..I dont know if that can be changed, but its above 1500 anyways.... So, it seems the "tunnel connection" makes the MTU size drop in someway... In the ipsec.conf file, used by ipsecctl, I dont have any parameters regarding this (if any exist) My location ipsec.conf : # # IPSEC to remote # ike esp from <my lan range> to <remote lan range> peer <remote BSD box inet ip> ike esp from <my bsd box inet ip> to <remote lan range> peer <remote BSD box inet ip> ike esp from <my bsd box inet ip> to <remote BSD box inet ip> The one on the other side is the same in vica-versa config and 'passive'. so, the ping is ok when its not going trough the tunnel...but via the tunnel, the MTU size sinks to 1330 max. How to get that not to sink ? regards Willem -----Oorspronkelijk bericht----- Van: Karsten McMinn [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 27 juni 2006 18:27 Aan: [email protected] Onderwerp: Re: Change MTU size TCP/IP Packets for 'black hole routers' within B SD 3.8 possible ? On 6/27/06, forums <[EMAIL PROTECTED]> wrote: > > this could be a "Black Hole > > Router Issue" and I should try to set the MTU (Maximum Transmission > > Unit) lower (the ping with a packet/framesize from 1472 indeed fails > > over this line). A packetsize from around 1300 works ok. You should be tracking down the service provider who maintains the IP transport on the sub 1500 byte MTU link. No real service provider is using links with MTUs under 1500 bytes, but in cases where they are tunneling or doing other things it be will munged if not deployed properly. As Joachim said, use ifconfig, pf and friends to set it yourself. Although to check mtu you need to be doing a "ping -D -s 1472 {host}" from a ethernet connected host (replies verify a full 1500 byte mtu is working) and "ping -D -s 1500 {host}" should give you a icmp type 3 code 4. Remember that most firewalls usually block large byte pings though.
