Le ven 19/09/2003 à 17:41, Nigel Metheringham a écrit : > What appears to be happening is that everything works while packets are > short, however when long packets come in they bounce off the lower MTU > interface, and the returned ICMP packet is not getting back to the > originator in a sane form. So the connection freezes. > Having looked closer at this I find there is an ICMP dest unreach packet > emitted from my box back to the originator. However inside the packet > the SNAT has been undone, but the DNAT is still in place. Just a 0.02e quick thought... You're facing a situation a bit like routing LANs through a PPPoE link. Solution is to clamp TCPMSS down to correct value when routing them. iptables -t mangle -A FORWARD -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu This sets TCPMSS to MTU-40, so 1410 for your IPSEC link. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
