IPSec+IKEv2 and DualStack
-
Hello,
I have recently tried to set up a dual-stack IPSec GW based on pfsense for moblie clients.
Everything seems to be working fine on IPv4. Both IPv4 and IPv6 communication work seemlessly through the VPN-tunnel, to the internal network, and to the Internet.
But when clients are connecting via IPv6. Things seems fine with ping and traceroute. But when we try to reach I guess most web-sites and other ressources - not so much. Do anyone have a suggestion?
I have tried to adjust the MTU-size, through MSS clamping as explained here:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/advanced-ipsec-settings.html
Any suggestion on how to debug, or something else that can be tried?
The problem seems to persist both on windows clients, and on mac/ios-clients.
I am grateful for any suggestions.
-
Try to determine the maximum packet size from the client.
Use can use 1400 as starting value, and remember that ICMP head = 8 bytest, + IP header = 20 bytesLinux:
ping -M do -s 1472 example.com
Windows:
ping example.com -f -l 1472
FreeBSD:
ping -g 1400 -G 1500 -h 8 example.com
- in this case, the size of the payload automatically increases by 8 bytes per ping
-
I am testing from a windows client, it seems like 1342 is max for outgoing IPv6 packets, and 1362 is the max for outgoing IPv4 packets, while connected through IPv6:
C:\Windows\system32>ping 1.1.1.1 -f -l 1362 Pinging 1.1.1.1 with 1362 bytes of data: Reply from 1.1.1.1: bytes=1362 time=16ms TTL=58 Reply from 1.1.1.1: bytes=1362 time=17ms TTL=58 Reply from 1.1.1.1: bytes=1362 time=17ms TTL=58 Reply from 1.1.1.1: bytes=1362 time=17ms TTL=58 Ping statistics for 1.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 16ms, Maximum = 17ms, Average = 16ms C:\Windows\system32>ping 1.1.1.1 -f -l 1363 Pinging 1.1.1.1 with 1363 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 1.1.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Windows\system32>
C:\Windows\system32>ping -6 2606:4700:4700::1111 -l 1342 Pinging 2606:4700:4700::1111 with 1342 bytes of data: Reply from 2606:4700:4700::1111: time=17ms Reply from 2606:4700:4700::1111: time=17ms Reply from 2606:4700:4700::1111: time=17ms Reply from 2606:4700:4700::1111: time=17ms Ping statistics for 2606:4700:4700::1111: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 17ms, Maximum = 17ms, Average = 17ms C:\Windows\system32>ping -6 2606:4700:4700::1111 -l 1343 Pinging 2606:4700:4700::1111 with 1343 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 2606:4700:4700::1111: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Windows\system32>
And slightly higher for IPv4, and enormously higher for IPv6 when I am connected through IPv4:
C:\Windows\system32>ping 1.1.1.1 -f -l 1372 Pinging 1.1.1.1 with 1372 bytes of data: Reply from 1.1.1.1: bytes=1372 time=68ms TTL=58 Reply from 1.1.1.1: bytes=1372 time=31ms TTL=58 Reply from 1.1.1.1: bytes=1372 time=16ms TTL=58 Reply from 1.1.1.1: bytes=1372 time=17ms TTL=58 Ping statistics for 1.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 16ms, Maximum = 68ms, Average = 33ms C:\Windows\system32>ping 1.1.1.1 -f -l 1373 Pinging 1.1.1.1 with 1373 bytes of data: Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Ping statistics for 1.1.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Windows\system32>
C:\Windows\system32>ping -6 2606:4700:4700::1111 -l 1566 Pinging 2606:4700:4700::1111 with 1566 bytes of data: Reply from 2606:4700:4700::1111: time=24ms Reply from 2606:4700:4700::1111: time=24ms Reply from 2606:4700:4700::1111: time=24ms Reply from 2606:4700:4700::1111: time=25ms Ping statistics for 2606:4700:4700::1111: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 24ms, Maximum = 25ms, Average = 24ms C:\Windows\system32>ping -6 2606:4700:4700::1111 -l 1567 Pinging 2606:4700:4700::1111 with 1567 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 2606:4700:4700::1111: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Windows\system32>
-
I have tried reducing the MTU, I have tried 1342, or even as low as 1200, like this:
Is there a way to verify that this on the client or on the server/strongswan side?
-
Any other suggestions?