# Possible IPSec MTU problems (2.6.8, ipsec-tools/racoon)

## nhaggin

Greetings, all.

I've decided to secure my brand-spanking-new 802.11g access point with a captive portal and IPSec. The captive portal works beautifully, but IPSec has been giving me large headaches; I finally got racoon configured properly on both server and client, but I appear to have trouble sending large packets. I can ping pretty much any address in the known universe at the default packet size, get Google, and otherwise deal with things requiring small packets, but if I try to go to, say, Red Hat's site, or grab a large file from somewhere, nothing happens after the initial TCP handshake.

Another post on the forum suggested to me that I might having  a problem with mismatched MTUs and fragmentation; is this the case, and if so, how might I fix it?

Or should I forget about IPSec and work with something like OpenVPN instead?

----------

## JonR800

Drop your MTU on both of the ipsec endpoints.  The overhead added with the encryption is what's giving you trouble.  Try dropping it to 1400.

----------

## nhaggin

I dropped the MTU first to 1400 with no results, and then to 1000; at 1000 I could connect to places I hadn't been able to previously, but after a certain amount of data were transferred the connection would freeze. The same phenomenon occurred on an SSH session with my (local) server.

----------

## sigSEGV2003

You could also make sure that path MTU discovery is working properly.  Make sure you aren't dropping (firewalled, etc.) the ICMP packet from the IPSec tunnel endpoint to the host.  The packet is ICMP message type 3 (Unreachable) code 4 (Fragmentation--DF--Set).  Allowing this packet through will let the host know it needs to lower its MTU.

----------

## primero.gentoo

i've solved the same problems with the "Advertise MSS (Maximum segment size)" in the "ip route" command. 

```

#ip route

192.168.100.0/24 dev eth1  proto kernel  scope link  src 192.168.100.2  

127.0.0.0/8 via 127.0.0.1 dev lo  scope link 

default via 192.168.100.1 dev eth1  

```

this is the normal one.

the first one is the route of my lan and the last one is the default gw.

```

#ip route change 192.168.100.0/24 dev eth1  proto kernel  scope link  src 192.168.100.2 advmss 1350

#ip route change default via 192.168.100.1 dev eth1 advmss 1350

```

this way no packets payload will be more than 1350 , so with IPSEC Headers it will no get greater then 1500.

1350 works for me but i think you can tune it for your connection better.

bye

----------

## nhaggin

Bingo; it works now. On reflection, it makes sense that TCP MSS rather than Ethernet MTU (which I was fiddling around with) would have to be changed.

Thanks to everyone who assisted.

----------

