On Friday, 3. October 2003 09:17, you wrote:

I can send 15 Kbyte (I haven't tried larger packets yet but I'm sure they will go through the tunnel as well) pings to the other end of an ipsec (freeswan-freeswan) tunnel. Checking my fragmented packets the DF bit is not set. The other end of the tunnel, however, can "only" send 1500 Byte pings to me. Those packets have the DF bit set.

Hi! The following is taken from /usr/src/linux/Documentation/Configure.help: TCPMSS target support CONFIG_IP_NF_TARGET_TCPMSS This option adds a `TCPMSS' target, which allows you to alter the MSS value of TCP SYN packets, to control the maximum size for that connection (usually limiting it to your outgoing interface's MTU minus 40). This is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets [...] This sounds quite a bit like your problem. One of your systems seems to be unable to send fragmented packets. And as 1500 bytes is probably your MTU, the host that cannot send fragmented packets cannot send packets larger than 1500 bytes. Maybe this is simply because you yourself are blocking the "ICMP Fragmentation Needed packets", so check your firewall rules/logs. If that doesn't help, maybe this kernel option will. Regards nordi -- Denn der Menschheit drohen Kriege, gegen welche die vergangenen wie armselige Versuche sind, und sie werden kommen ohne jeden Zweifel, wenn denen, die sie in aller Öffentlichkeit vorbereiten, nicht die Hände zerschlagen werden. Bertolt Brecht, 1952