ICMP Buffer through IPSec VPN Tunnel

I have an IPSec VPN tunnel set up with 2 Linux based SnapGear firewalls. I'm not able to ping through to the remote LAN with 2048 bytes of data which is required for Windows Active Directory Group Policy to get to the client. Is there a line I can add to the firewall to increase the ICMP buffer size?

Thanks, Dan Foxley

Reply to
Dan Foxley
Loading thread data ...

Sounds to me like an MTU issue on the interface in question. What does ifconfig say about the MTU for the interface? Most linux ethernet interface MTU's are 1500 bytes. (you can change this with ifconfig)

mike

Reply to
HisNameWasRobertPaulson

The fact that you need to be able to ping with 2048 bytes of data is news to me. Esp since doing so is a big no-no, since ICMP packets bigger than the largest ethernet frame size of 1518 tends to crash things do to bugs in the fragmentation of ICMP in most IP stacks. In fact doing so used tp be a fairly common DOS attack - it would cause most windoze boxes to bluescreen. It was called the "ping of death". In fact, I believe windows has been patched specifically to NOT allow pings bigger than the ethernet MTU to be sent. (could be wrong about that)

There should never be any legit reason to need to send an ICMP packet greater than the the ethernet MTU.

I have many clients out in the filed using AD, and my routers DO block large/fragemented ICMP. I know you do NOT need to be able to send 2048 bytes via ICMP for AD to work.

Reply to
T. Sean Weintz

I worked around this by creating a PPTP account on the SnapGear for this remote XP box, then using "Log on Using Dial-Up connection", I can now ping with 2048 bytes of data. This is only a work around and I'll try and work with the other suggestions. This may as well had to do with the remote client being on another subnet(10.x) with the Primary DNS pointing to the Domain Controller (100.11), when using PPTP the remote XP gets a local IP on the 100.x subnet.

I got this noti> > I have an IPSec VPN tunnel set up with 2 Linux based SnapGear firewalls.

Reply to
Dan Foxley

I'd look into the frag settings on the VPN tunnels/your network. Sounds to me like theres a do-not-frag enabled somewhere.

Reply to
Mark S

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.