Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec packet fragmentation

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eazydor
      last edited by

      hi everybody,
      mobile client ipsec with mutual rsa & x-auth running fine on the locally, but can't connect over internet because phase 1 failed due time up. PSK & X-Auth works, well, perfect.

      since locally everything is working fine and being able to connect over internet via shrewsoft client when i reduce the mtu (but only shrewsoft's because thats the only client i have around where i could adjust mtu size), i do believe it's some sort of packet-fragmentation / overhead problem. i tried to reduce the mtu on the wan interface of pfsense as suggested by the pfsense-wiki, but that didn't helped ..

      do i have to adjust client's interface and/or gateway mtu as well, could this be a problem with my provider, is it even possible that what i'm talking makes sense? i am far away of being a network engineer, so unfortunately i am struggling to narrow this one further down..

      i'am on a october 12th snapshot, i386-iso, wan makes dsl over pppoe, logs are below.

      Oct 12 21:22:28 fw1 racoon: INFO: respond new phase 1 negotiation: 80.201.21.65[500]<=>80.201.89.13[500]
      Oct 12 21:22:28 fw1 racoon: INFO: begin Identity Protection mode.
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: RFC 3947
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: CISCO-UNITY
      Oct 12 21:22:28 fw1 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Oct 12 21:22:28 fw1 racoon: INFO: received Vendor ID: DPD
      Oct 12 21:22:28 fw1 racoon: INFO: Selected NAT-T version: RFC 3947
      Oct 12 21:22:28 fw1 racoon: INFO: Adding xauth VID payload.
      Oct 12 21:22:28 fw1 racoon: INFO: Hashing 80.201.21.65[500] with algo #2
      Oct 12 21:22:28 fw1 racoon: INFO: NAT-D payload #0 verified
      Oct 12 21:22:28 fw1 racoon: INFO: Hashing 80.201.89.13[500] with algo #2
      Oct 12 21:22:28 fw1 racoon: INFO: NAT-D payload #1 doesn't match
      Oct 12 21:22:28 fw1 racoon: INFO: NAT detected: PEER
      Oct 12 21:22:28 fw1 racoon: INFO: Hashing 80.201.89.13[500] with algo #2
      Oct 12 21:22:28 fw1 racoon: INFO: Hashing 80.201.21.65[500] with algo #2
      Oct 12 21:22:28 fw1 racoon: INFO: Adding remote and local NAT-D payloads.
      Oct 12 21:22:41 fw1 racoon: ERROR: phase1 negotiation failed due to time up. 52570a2dedfbc985:d2278ea30a9d63eb

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Are you on 2.0?

        If so, try adjusting this: System > Advanced, Miscellaneous tab, check "Enable MSS clamping on VPN traffic" and put the lower MTU there.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • E
          eazydor
          last edited by

          hi jim, yes, 2.0 always latest snapshot, but i don't believe it has something to do with 2.0 especially, therefore i didn't post it there over..

          i have tried to do mss clamping on vpn traffic (tried a few adjustments) around 1300 bytes. i tried before a few settings on wan's mtu around 1500 and mss clamping on wan around 1300-1350, letting space for around 150 bytes of overhead. but i don't know really if my thinking is right..

          still, when i adjust the mtu of the ipsec client it does establish the connection and traffic passes through it. on the same line with i.e. osx or iphone client, it fails with logs posted above, even tried connecting through umts, no way. windows & linux clients working fine. tried to adjust clients lan interfaces mtu too, but that didn't helped neither, and seems to be bad practice..

          i don't even know, if i'm talking absolute rubbish here, so given that, thank you for bearing with me..

          ROOKIE AT WORK.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.