On Fri, Oct 15, 2004 at 04:12:58PM -0300, Peter Marshall wrote:
> Thank you again for the quick reply ... I am not sure if your suggestion
> will work though ... my vpn server is not on my firewall .. it is between my
> internal and external ... so basically, the troubling packets will come in
> through my external firewall, hit the vpnserver, leave the vpnserver and
> head to my internal firewall. They are then supposed to pass through to the
> server that has the webpage I am trying to get to, and then return the page
> back accross the vpn link to the remote server ....
>
> I guess what I am getting at is there is no ipsec_if on the firewall ..as
> the vpn server is a standalone server ....
>
> Peter
couple of things:
first--you only can control the packets that leave your network sent to
the remote network. if they have a problem on their end as well--they
need to fix it at their side...
that being said--find the last place in your network where packets
destined for the remote VPN network are in the clear, and apply the
TCPMSS rule there. if i'm understanding you correctly--this would be on
your internal firewall and you would identify the packets by their
destination network...maybe like:
iptables -A FORWARD -i $INSIDE_IF -o $OUTSIDE_IF -p tcp --syn \
-d $REMOTE_VPN_NET -j TCPMSS --set-mss 1440
-j
--
Jason Opperisano <opie@xxxxxxxxxxx>
