> so, the ping is ok when its not going trough the tunnel...but via the > tunnel, the MTU size > sinks to 1330 max. > > How to get that not to sink ?
You probably can't - your VPN tunnel is adding IP and IPsec headers which cause packets to grow beyond the DSL provider's MTU. (BTW some DSL services may be based on PPPoE which could have an MTU lower than 1500 - I would check with your ISP before setting the modem MTU to something different.) The way to avoid this problem is to send packets over the link that are small enough to avoid exceeding the MTU when they are encapsulated with IPSec. Your main decision is whether you set the packet size at the clients (manually or by ensuring PathMTU is working) or do fragmentation at the router. IMO you should offload fragmentation to the clients by ensuring PathMTU works. So I suggest ensuring that your router interfaces have the correct MTU, check clients are receiving ICMP "packet too big" messages and use the scrub max-mss option in pf. SteveW
