IPSec Site-Site - Problem with Oracle (port 1521)

modelador

So we are a company in Brazil running pfSense 2.7.2-RELEASE (amd64).

I had set up IPSec with our cloud provider so my LAN could access our two Linux VMs hosted there - One of them Oracle Linux.

With our previous internet it was working fine. We changed the internet, the problems started.
Both internets are dedicated, and we have a public IP address.

In general, IPSec works - I can ping the VMs, i can SSH, etc

The problem starts with port 1521. I get the following error on DBeaver:
ORA-17002: I/O error: Connection reset, Authentication lapse 0 ms.

Other ports are also bugged, such as port 8180 - which is our application port.

Here is a tcpdump when I try to connect:
13:25:28.856683 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [S], seq 822910510, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:25:28.875982 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [S.], seq 732684003, ack 822910511, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:25:28.876221 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [.], ack 1, win 1026, length 0
13:25:28.877146 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.], seq 1:283, ack 1, win 1026, length 282
13:25:28.895197 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [.], ack 283, win 237, length 0
13:25:28.909403 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 1:9, ack 283, win 237, length 8
13:25:28.918979 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.], seq 283:565, ack 9, win 1026, length 282
13:25:28.937597 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 9:54, ack 565, win 245, length 45
13:25:28.938243 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.U], seq 565:566, ack 54, win 1026, urg 1, length 1
13:25:28.938336 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.], seq 566:577, ack 54, win 1026, length 11
13:25:28.938872 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.], seq 577:610, ack 54, win 1026, length 33
13:25:28.956920 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [.], ack 577, win 245, length 0
13:25:28.957187 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 54:64, ack 610, win 245, length 10
13:25:28.957197 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 64:258, ack 610, win 245, length 194
13:25:28.962197 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [.], ack 258, win 1025, length 0
13:25:28.962959 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [.], seq 610:2070, ack 258, win 1025, length 1460
13:25:28.962983 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.], seq 2070:3381, ack 258, win 1025, length 1311
13:25:28.981461 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [.], ack 3381, win 291, length 0
13:25:28.982090 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 1718:2963, ack 3381, win 291, length 1245
13:25:28.982276 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [.], ack 258, win 1025, options [nop,nop,sack 1 {1718:2963}], length 0
13:25:28.982277 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 1656:2963, ack 3381, win 291, length 1307
13:25:28.982508 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [.], ack 258, win 1025, options [nop,nop,sack 2 {1718:2963}{1656:2963}], length 0

Any ideas?

pedro.343

@modelador I'm having the same issue, but between a pfSense and Oracle's OCI. Did you ever find a solution?

luckman212

@pedro.343 Try turning on MSS clamping and setting it to something like 1360.

see MSS clamping for more info. Depending on if you're using VTI or SA policy mode IPsec, the place to set it in the GUI might be different.

pedro.343

Thank you, @luckman212.

I played around with the settings you pointed out and got it to work. I know this was an old thread, but now other people with the same issue can find guidance.

Thanks again!