A while ago, we decided to replace some existing ipsec-gateways with new ones. While we were at it, we thought it’d be nice to make the new ones run FreeBSD, and use PF for filtering, instead of Linux and iptables. All seemed to go well, until we did some real-life tests: large filetransfers randomly broke to pieces. A little fiddling with the rulesets did help a bit, but still, weird things were going on. And no, icmp was not filtered :) Due to these problems, we blew off the whole migration 2 times already, until last Sunday.

The ‘trick’ was putting the MTU on our tunnel interfaces to 1520, although I’m still not sure if it’s the -fix- for our problem, or just an ugly workaround. Oh well, at least for now it gets the job done :)