TCP not routing through IPsec tunnel - MSS issue?

baketopher

The symptom is that none of my endpoints can access any website when pfSense is connected to the tunnel, but I can get a ping up to 1299 bytes through and DNS queries work. Any pings equal to or larger than 1300 bytes fail.

I've tried setting the MSS clamping to 1200 on the advanced tab of the IPsec config, but it doesn't seem to make any difference. I've also tried lowering it even further with no success. I've also tried setting the MTU and MSS settings on the WAN interface but no luck there either. I've tried setting the "Clear invalid DF bits instead of dropping the packets" in the Advanced settings, but also no luck. I've configured the same IPsec tunnel for Cisco ASA and CSR successfully but I had to set a MSS clamp of 1200 to get it to work. Are there any known issues with the MSS setting for IPsec? I'm running pfSense 2.4.4. Any suggestions of what to try or test would be welcome. Thanks!

Phonebuff

https://forum.netgate.com/topic/135994/ipsec-mtu-issue-only-from-windows-8

Similar Issue here -- You find a fix ?

baketopher

@phonebuff said in TCP not routing through IPsec tunnel - MSS issue?:

https://forum.netgate.com/topic/135994/ipsec-mtu-issue-only-from-windows-8

Similar Issue here -- You find a fix ?

The only thing that got webpages loaded on endpoints was to reduce the MTU on the client machines. Seems like a bug in pfSense to me.

chrismacmahon

Can you try disabling the setting of Asynchronous Cryptography?

This is located in VPN - IPSEC - Advanced setting bottom of the page.

Phonebuff

@chrismacmahon

Thank you for the suggestion. I will try this as soon as I can. But one question is the setting symmetric or can I just can the remote end.. (Windows Workstation).

TIA --

chrismacmahon

That setting was just released in 2.4.4, as far as I know it's only on the pfSense side:

IPsec Speed Improvements: The new Asynchronous Cryptography option under the IPsec Advanced Settings tab can dramatically improve IPsec performance on multi-core hardware.

Phonebuff

@chrismacmahon

Sorry I asked the question wrong this is two pfSense units. a 3100 and a 7100. the Windows box sits at the 3100 (remote) end. Should I turn the option off in both or can I just turn it off in the 3100.

chrismacmahon

I would be interested in the following combinations if you have the ability to test:

1: 3100 off, 7100 on
2: 3100 on, 7100 off
3: 3100 off, 7100 off

Phonebuff

@chrismacmahon

Okay, let me see what I can arrange to do for you ..

Phonebuff

@chrismacmahon

Quick update.  So I found out today that the 7100 are at 2.4.1 . Additionally, by hands & eyes at the other end is unavailable to work with me till next week and I can not risk locking myself out while he is away so this will have to wait.

baketopher

@chrismacmahon said in TCP not routing through IPsec tunnel - MSS issue?:

Can you try disabling the setting of Asynchronous Cryptography?

This is located in VPN - IPSEC - Advanced setting bottom of the page.

@chrismacmahon - this setting was already disabled in my config - I don't have the box Asynchronous Cryptography checked.