ipsec vti - weird only some data passes
-
We have 3 pfsense servers:
pfsense A (version 2.4..4-p3) - ex.: 100.61.10.1 (VTI - 10.31.2 and 10.41.2)
pfsense B (version 2.4..4-p3)- ex 150.150.10.2 (VTI - 10.31.1)
pfsense C (version 2.4.5-p1) - ex.: 99.10.10.10 (VTI - 10.41.1)
pfsense A has 2 ipsec VTI routes one to pfsense B and another to pfsense C
Firewall Ipsec rule is allow ANY
The problem is that some servers behind pfsense C cannot be reached from Server A (only ping and traceroute to the server works)
If we try to connect to port 80 ou 433 on servers nothing works.
VTI between pfsense A and B works without problems.
If we change to tunnel instead of VTI everything works.
-
Check your VTI interface MTUs. There's a bug in 2.4.4-p3 where the MTU configured on the interface doesn't get applied on reboot. Instead it's set to some fixed value. That would explain the behaviour you're seeing.
I don't have the Redmine link in my bookmarks anymore, but the bug is fixed in newer versions. The change is not that big, so if you're hesitant to upgrade, you could patch it manually on the 2.4.4-p3 instances
-
Hi marcquark,
Yes you are right, it is a MTU problem.
Upgrading to 2.4.5 and using MTU and MSS clamp, fixed the problem.