[Openswan Users] RDP from internal NET to VPN client fails, and some other strangness..

Paul Wouters paul at xelerance.com
Thu Nov 16 22:05:34 EST 2006


On Thu, 16 Nov 2006, dashnu wrote:

> Hello again. After reading a few more links on Jacco's site, I am wonder some
> things.
>
> I block ICMP and enable path MTU which I now see is absolutely pointless and
> not wise..
>
> If I allow icmp & enable pmtu would this solve my issue? If so icmp type 3 all
> i need to allow in?
>
> Any major risks involved with doing this?


filtering icmp is never a good idea. At most only filter the known dangerous
types of icmp (eg routing changes) and the echo request/reply. Don't filter
the other types of icmp.

> Another thing is I really have no control over the other end... If they have
> icmp filtered at the router level or in windows I will again run into this
> problem I would assume.

That is why Windows and OSX run the vpn devices with a lowered mtu. Windows does
1440 i believe and OSX does 1200.

Paul


More information about the Users mailing list