Problem with share access over the IPSec VPN



  • Hi,
    I'll probably start from kind of network map what we've got (we've got more remote sites but I think it will be enough to show the point):

    MainSite              Site1                          Site2
    Network      172.10.0.0/19      192.168.1.0/24            192.168.2.0/24
    ISP              Leased line          SDSL line (PPPoA)        ADSL PPPoE       
    Speed          5Mbps/5Mbps        1,5Mbps/1,5Mbps          2,5Mbps/400kbps
    pfsense        1.3                      1.2                            1.3
    Site1 and Site2 is connected over the IPSec VPN to the MainSite. On Main site there are few servers Windows 2003 mainly with some shares and Linux for webserver. I can ping all sites and all sites can ping the main sites. I can connect to the servers via RDP, via SSH, via telnet in both ways. Below you can see sample tests what I've done so far to try to fix it.

    MainSite with Windows Share Folders - powervault server (I used IPs all the time to get the access, no DNS, no WINS).

    1. From Site1 I can access to the shares without any issues. Obviously I need to type username and password to authenticate. Then I can see all shares and then I can pick up one of the shares and I can open it.
    2. From Site2 I'm trying to do the same thing what I've done in first step. I can open the server, I can see all shares but as soon as I'm trying to open the share it's hanging up. Anyway I tried to access to different servers and I've got access to their shares. There is just problem with one server.
    3. I can open any share in Site1 and Site2 from MainSite.

    After few days I discover that http doesn't work as well. We're running apache2 on server in MainSite.

    1. From Site1 I can access through http to the web pages, http://172.10.0.20/index.htm
    2. From Site2 I cannot open this page at all. I can ping it and I can telnet it as well (telnet 172.10.0.20 80). As it's a linux machine I tried to open ssh and it's working as well.
    3. Also we've got apache on Windows server and I tried to open home page of this server on Site1 and Site2. I had the same problem like above, it's ok on Site1 but I can't open it on Site2. Telnet it's working for both sites (telnet 172.10.0.30 80).
    4. Then I open port 80 on main site, NAT to local web server and then I tried to open the same page by using external IP address. It worked!

    In first place I thought that's a problem with Widows Shares but after problem with http server I'm assuming there is something wrong with pfsesne/IPSec. Please advice if anyone had similar issue?



  • Hi,

    just for a test, lower your MTU on all ipsec connections where the adsl side is involved.
    PPPoE encapsulate the packet, then you are sending to big packet for this line.
    A normal ping ist to small to get an error, telnet and ssh are the same.

    hope it will help

    max





  • Thanks for replies.
    The problem is definitely related to MTU size and PPPoE connection. As in other offices we've got ADSL/SDSL lines with PPPoA connection and these work fine. I track this down by using ping command:
    ping -f -l 1472 192.168.6.10
    I end up with MTU size 1370. I think that will do for me by now. Anyway I'll try to check with my ISP to change the connection type.
    Thanks again.


Log in to reply