VPN established but no traffic through the tunnel
-
I can confirm I am seeing the same thing.
It seems to be todo with this rule
scrub on carp1 all max-mss 1372 fragment reassemble
as I get blocks like this on packets that should pass
Nov 3 16:13:08 pfwall1 pf: 792309 rule 4/0(match): block out on enc0: (tos 0x0, ttl 127, id 61099, offset 0, flags [DF], proto TCP (6), length 40) 192.168.2.4.7277 > 192.168.1.251.80: tcp 20 [bad hdr length 0 - too short, < 20]
It seems to have something todo with MSS clamping as I normally have to reduce the MTU on one end attached to Ethernet to 1412 to cope with the other end being on ADSL PPPoE but to get it to work now I have to clamp the ADSL end too 1300 to get it to work. It seems to work with small packets normally eg ssh but bigger stuff eg webpage won't load. Strangely the webGUI always works guess this is the anti lockout rule at work
-
I'm not sure what version I upgraded to but I'm now having IPSEC site to site vpn issues since Friday. Tunnel is established but It'll drop, pickup and drop again. No firewall rule changes.
Jim
-
_Yes ! Morbus, you're right, I changed MTU values like this :
if:vr0(lan) –> MTU 1412
if:pppoe(wan) –> MTU 1372everything works fine now,
Thanks a lot for your help ;)_correction, i made a mistake and logs didn't refresh fast enough, I though it was good, but the problem still there; i reduced now the wan MTU to 1300 and same thing happened :(
exemple of MS DS (browse network) :
rule 4/0(match): block out on enc0: (tos 0x0, ttl 127, id 13061, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.87.1138 > 192.168.1.1.445: [|tcp]same thing with any port.., i can tell my firewall rules LAN + IPSEC (enc0) are now on pass all any/any !
someone have an idea ?
-
test latest snapshot and report back, should be fixed.
-
Uhmm, my tunnel is no longer passing any data. It went from cutting in and out to totally out now. :(
Please let me know what log information to post if need be.
-
please post the output of command
sysctl net.enc -
Mine is
# sysctl net.enc net.enc.out.ipsec_bpf_mask: 0000000000 net.enc.out.ipsec_filter_mask: 0000000000 net.enc.in.ipsec_bpf_mask: 0000000000 net.enc.in.ipsec_filter_mask: 0x00000002
I think it is net.enc.out.ipsec_filter_mask should be 1 rather than 0 as this fixes it on mine
sysctl net.enc.out.ipsec_filter_mask=0x00000001
-
0 should disable filtering altogether on outgoing packets since you really cannot write rules for outgoing packets unless from floating rules tab.
-
Here is mine:
-
Mines the same jzsjr….Same problem as the rest in this topic
-
Try changing the sysctl's to:
sysctl net.enc.out.ipsec_bpf_mask=0x00000002
sysctl net.enc.out.ipsec_filter_mask=0x00000002
sysctl net.enc.in.ipsec_bpf_mask=0x00000001
sysctl net.enc.in.ipsec_filter_mask=0x00000001 -
Where does one change this?
-
From a shell or SSH session ( option 8 ) or from Diagnostics -> Command -> Shell command
-
upgrade to latest snapshot.
-
Okay. I wasn't sure if it was a command or located in sysctl.conf (but there is nothing really in that file).
thanks,
Jim -
Thanks Sullrich. Those commands did the trick.
Ermal, not sure what is up with the auto updater now but this is what I get:
Auto upgrade aborted.
Downloaded SHA256:
Needed SHA256: bad9308e0d492d9701e60766cf747777024b005cdad4819bba193fa8d7a6dfa8
Also I don't know where the 2.0 files are now for a manual upgrade. When I go to the old listing under _1 I see 1.2.1 files.
thanks,
Jim -
Those 1.2.1 files should be the 2.0 updates not sure why they are called 1.2.1!
-
Sullrich & Ermal,
Latest snapshot shows:
$ sysctl net.enc
net.enc.out.ipsec_bpf_mask: 0000000000
net.enc.out.ipsec_filter_mask: 0x00000002
net.enc.in.ipsec_bpf_mask: 0000000000
net.enc.in.ipsec_filter_mask: 0x00000001Should they show what Sullrich suggested earlier in this thread?
thanks,
Jim -
To me it is just those not set are considered debugging options, tcpdump in enc0. So while debugging makes sense you enable those otherwise it is just 'overhead'.
Since 2.0 allows you to set such values from the gui i consider them unnecessary. -
I am using:
2.0-ALPHA-ALPHA
built on Fri Apr 3 21:18:02 EDT 2009
FreeBSD 7.1-RELEASE-p4and still afflicted with the vpn tunnel staying up but no data passing. There was a fix provided by Sullrich earlier in this thread and I hope still works though I'm not real sure what it does. This is happening to a colleague of mine too. We have used both the full install on a server base and the embedded install with the same results. The vpn will work wonderfully for hours and then just stop passing data. I have gotten to the point where I merely reboot the racoon service now. I have recently updated so I'll apply the commands below and see how they go again. I was hoping someone could explain what these commands accomplish and why they might not be permanently changed in a release.
sysctl net.enc.out.ipsec_bpf_mask=0x00000002
sysctl net.enc.out.ipsec_filter_mask=0x00000002
sysctl net.enc.in.ipsec_bpf_mask=0x00000001
sysctl net.enc.in.ipsec_filter_mask=0x00000001thanks,
Jim