Which Correct MTU/MSS configuration
-
HI community, we have implemented 13 Site to site Ipsec VPN tunnels with pfsense 2.3.1_2 with a SG8600 and small alix boxes on remote sites. Some tunnels have up to 3 Phase 2 subnetworks.
It works in general but we have problems with MTU size with pppoe DSL connections with Nat-T.
Gateway interface is set to 1454 MTU.by testing ping packet size througth the tunnels, it doesn't work over 1394 MTU. I've then put 1390 In MSS IPsec settings.
This works better, but we still have troubles with packet size between 1394 an 1473 which drops into black hole. packaet size above 1473 are correctly frgamented.In consequence, we have many connections hangs randomly with htt, https, ssh,…
What is then the best settings I should have ? should I change IPSec MTU's Interface ?
Is setting MTU/MSS remote site is alsao needed ?thank you.
-
By seeking, this seems a problem similar to https://forum.pfsense.org/index.php?topic=87814.msg483118#msg483118.
Something in the modem router is blocking fragmented packet. This is SDSL tG605s
I'll ask hekp to ISP. -
By looking further, IPsec is generally not working well with NAT-T. I have many traffic drops.
neither with multiple Phase2, Even if status shows tunnels online.
Rebooting make tunnels work again for some time.I have changed NAT-T Tunnels with OpenVPN as i'm 100% pfsense on remote sites. Since it works much better.
I have just trouble when rebooting server. I'll make a topic.Regards