m0n0wall strange vpn ipsec problem

hi all, i've setup 2 m0n0wall in 2 different site to make a vpn ipsec connections through my lan

everything is ok (ping, ssh, ecc..) but only for ONEWAY situation, when i try to connect from site1 to site2, after few command my window hang. in other word, i can connect to the remote m0n0wall interface (http) without problem via vpn but if i try to connect to a server in the remote lan (for example via ssh) after few commands (ls -l) if the result is few character OK, otherwise my window hang!! if i do the same from site 2 to site 1 all is perfect.

i cannot understand the problem because all seem to work correctly and i don't have logs error.

please help me!!

thanks matteo italy

PS i have other situations runnig without problems....

Reply to
teo
Loading thread data ...

First thing to check with such strange hangs: MTU problems...

Set down the MTU on your client host to 1400, for example, or play with the TCPMSS on one gates, and try again.

Yvan.

Reply to
VANHULLEBUS Yvan

yhanks, Yvan, itry to change MTU but nothing changed do i have to reboot firewalls ? for me the problem is when the firewall route packet via vpn in the remote lan because i have non problem to manage the remote firewall web interface, but if i try to manage another host via web it hang.

matteo

Reply to
teo
[Hangs over IPSec]

Strange, what you describe (hangs over IPSec tunnel for big data flows) really looks like a packet size problem....

No, you shouldn't reboot the firewalls after changing the MTU, but did you change the MTU on the firewalls or on your traffic endpoint (the hist from which you establish your sessions) ?

Try with a very low MTU value on the TRAFFIC ENDPOINT (not on the IPSec gates) to ensure this is really not related to that, then try to dump what's going on the wire (between IPSec gates) to see if you can notice something abnormal.

And, when a session hangs, can you still establish new other sessions through the IPSec tunnel ?

And tell us what IPSec gates you're using, perhaps there is just a known bug somewhere.....

Yvan.

Reply to
VANHULLEBUS Yvan

thanks ivan for your support, this really a strange problem... i changed the mtu on the wan interface of the m0n0wall firewall. (now is

1000 but nothing change)

yes, when session hang, i can still open another session

i'm using m0n0wall 1.2 on a iso cdrom

---update--- it work!!! if i change the mtu (i set 1430) on the traffic endpoint it WORK!! thanks a lot for your help my last question is: do i have to change the mtu of all the host that i need to manage ?

matteo

Reply to
teo

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.