Thanks for the fast reply ... So you are saying I should use a value of 1440 for X ? What rule do I apply it too ? (sorry to sound stupid .. brain is fried .. have been working on this for a long time). Peter ----- Original Message ----- From: "Jason Opperisano" <opie@xxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Friday, October 15, 2004 3:10 PM Subject: Re: ipsec troubles On Fri, Oct 15, 2004 at 03:00:03PM -0300, Peter Marshall wrote: > Hi everyone. I have two firewalls, internal and external. I have a vpn > server in the middle on a routeable internet IP address. The remote vpn > server is a rh9 linux box. When I make the local one a rh9 box, everything > is great, however when the local one is an openbsd box, I get the following > error in my firewall logs on my internal firewall. Does anyone know what it > means. > > Note: E.F.G.33 is a routeable internet IP address > > Oct 15 14:53:43 radium kernel: FORWARD REJECT IN=eth1 OUT=eth0 > SRC=E.F.G.33 DST=192.168.201.22 LEN=56 TOS=0x00 PREC=0x00 TTL=254 > ID=25774 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.201.22 DST=10.0.0.2 LEN=1500 > TOS=0x00 PREC=0x00 TTL=126 ID=18062 DF PROTO=TCP INCOMPLETE [8 bytes] ] > MTU=1444 ICMP Type 3 Code 4 = Destination Unreachable, Fragmentation Needed and Don't Fragment was Set. lower the MTU (or MSS) of your IPSec traffic. you can do this with the "-j TCPMSS --set-mss X" target in iptables. mathematically speaking, the maximum value of X in these situations would be 1440, derived as: 1500 (MTU of ethernet) - 20 (bytes in IPSec header) = 1480 MSS is defined as MTU - 40; or 1480 - 40 = 1440. -j -- Jason Opperisano <opie@xxxxxxxxxxx>