pfSense IPsec Microsoft Azure MTU
I've been chasing down a problem with an IPSec S2S VPN to Microsoft Azure for a few days now.
The basic issue is that whatever I've tried in pfSense (MSS clamping, explicitly setting the MTU of the LAN/WAN interfaces), pfSense does not seem to participate in PMTUD, and thus from my client LAN, I end up with an MTU black hole between 1420 and 1492 bytes (1492 being the MTU of my PPPoE link).
If I manually set my client NIC's MTU to 1420, then the problem disappears. If I swap the pfSense box for a Draytek 2860, I do not experience any issues (and I have about 6 or 7 locations using Draytek 2860s without any issues).
Microsoft actually recommend setting the MTU of the IPSec VPN to 1400, or if it is not possible to set the MTU, to instead set the MSS to 1350. I have tried setting the MSS of the pfSense VPN to 1350, but obviously this has no impact on UDP traffic.
Is it possible to explicitly set the MTU of an IPSec VPN tunnel? Or otherwise force pfSense to participate in PMTUD, as clearly the Draytek router is able to do.
I had the same issue with UDP traffic especially large packets. To solve I had to disable scrubbing. See:
Another option is to use baby jumbo(RFC4638) frames for PPPoE. Which sets the MTU to the MTU to 1500. See:
@rai80 Thanks - but what benefit would baby jumbo frames have here? I need pfSense to drop the MTU of the VPN tunnel to 1400 bytes in order to be compatible with Azure.
I've also tried disabling scrubbing, but it doesn't appear to have any effect. (the problem I am trying to troubleshoot is EAP-TLS WPA2 enterprise certificate authentication - this uses large UDP packets, but I feel I need to resolve this MTU black hole issue first.)
@rolytheflycatcher Baby jumbo frames will not help is this case. It will solve some MTU issues with IPV6.
A month ago I digged in the same issue. EAP-TLS with certificates and large UDP packets. In my case it was solved when I disabled scrubbing. I have the same scenario: W10 client -> pfSense box -> ipsec vpn -> Azure -> W2019 Server with NPS/PKI.
Did you set framed-mtu to 1344 in NPS ?
Default MTU for ipsec interface is 1400. MSS clamping is disabled by default. You can enable it. In my case it did not help.
To make sure its a MTU issue and packets are getting dropped, do a packet trace on the pfSense incoming interface and a packet trace on the Radius/NPS Server interface and compare packets. In my case only a few packets came through, most where missing.
@rai80 I have exactly same set up as you except I have NPS on a Win2k16 server in Azure.
Framed MTU is actually set to 1000 in NPS - I can't remember why that number, but I had trouble when I first set up EAP-TLS and I think I might have set it to 1000 to be well clear of any MTU limits.
I have EAP-TLS/cert auth working fine at several locations using Draytek 2860 routers as the VPN end point. So this problem is specific to PfSense - when I swap my pfsense box for a spare draytek 2860, the problem disappears.
Good idea about looking at packet traces on both sides.