Ipsec 2.2 - loss of fragmented packets - possible bug?
-
I am running a fresh instal of 2.2-Release.
I set up an ipsec connection between pfSense and an Lancom Router. I experience weird issues regarding packages that exceed the MTU of the connection. For example I can easily remotely browse an SMB share thats located at the Lancom-side. However the opposite is true for shares on the pfSense side. Same issue with RDP connections.
I did some ping tests (ping -l 1600 ) and captured the ICMP traffic.
Doing so I found out that there seems to be a problem inside pfSense. It looks like packets originating from the tunnel dedicated to the LAN network never leave the inner mechanics of the system. You can look into my capture files. (10.50.x.x is pfSense and 192.168.111.x is Lancom).
https://onedrive.live.com/redir?resid=11C91E403C7B0E9A!1617&authkey=!AH2KS950JpUpcNw&ithint=folder%2ccap , sorry i was not able to upload them to the forum.Pings with big packets to hosts on the WAN (like 8.8.8.8 ) work flawlessly and this only occured to me using ipsec (could be an issue for mobile OpenVPN clients as well but i can't say this for sure, no in depth testing done yet)
-
I'm also experiencing this issue with a pfSense 2.2 to Mikrotik 6.25 ipsec vpn.
At 1st i thought it was the Mikrotik not fragmenting packets but after trying to make it work for a couple weeks I', thinking it is an issue with pfSense. -
Did you experience this issue with versions prior to 2.2 ? (2.1 and earlier which used racoon instead of strongswan).
Because I have been informed of recent network anomalies by my staff which originate from the SMB issues but I am not 100% if this issue existed before. -
I'm not entirely sure if it existed before.
one interesting thing, pinging from anything on pfsense of vpn to the mikrotik's internal IP with a packet size of (for example) 1500 works! but not to a device on the mikrotik's side.
going the other way doesn't work at all with packets over 1426 bytes.
-
Can you try specifying a scrub rule manually that removes Dont fragment bits of the packets?
This can be enabled on system->advanced->firewall->IP Do-Not-Fragment compatibility toggle. -
I've enabled that,
Its made no difference.
Might i need to reboot the pfsense for it to take affect, or should it just work?
-
IP Do-Not-Fragment compatibility did not help but activating the other Srub option further down helped, the ping problem is gone.
What is the cause of the problem, is it the ip-stack implementation in the clients? Did the behavior change since 2.1?However I now found out that traffic from other VMs on the XenServer is very slow, under 1kb/s. Since my time is tight, I don't think I can look further into that issue but I will open another Thread/Bug report if otherwise.
-
Yeah that means that something i\might be sending ip ids that are similar.
Usually that is problem on client side since that breaks fragmentation and not only.