IPSEC 1418 MTU Limit



  • Hi
        We have been successfully using PFSENSE for about a year for a perimeter firewall. We have three WAN connections (separate ISP's).  We have just set up our first IPSEC tunnel with a partner that uses CISCO and discovered the MAX 1418 packet size limit for the tunnel with PFSENSE.  As a workaround we decreased the WAN connection (the one using the tunnel) to a MTU of 1400. This seem to correct the Black Hole issue with the tunnel, but are now getting clients and customers that access a service we provide through HTTPS complaining of slowness when coming through the WAN interface with the 1400 MTU.

    Is there anyway to correct the IPSEC Black Hole issue without having to change the WAN interface MTU to a non optimal setting? Searches about this issue on the NET indicates that both Monowall and PFSENSE have had the issue for a long time and it still exists in 1.2.3.  Is there a patch, and if not is this serious problem going to be fixed soon? I suggest at least making users of PFSENSE aware when setting up the IPSEC tunnel through some type of message.

    Thanks in advance
    Bob



  • Any updates to this? I'm about to go back to my Linux/StrongSWAN based firewall.


Locked