• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Traffic flows only from one side

IPsec
2
9
3.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    marzl
    last edited by Mar 14, 2007, 5:24 PM

    Hi,

    We have a strange Problem here with our IPSEC connection from pfSense to pfSense.

    172.18.18.0/24 LAN <-> pfsense A <-> WAN <-> pfSense B <-> LAN 172.16.16.0/24

    A: WRAP pfSense v1.01
    B: WRAP pfSense v1.0RC3 (very busy Box, no chance to upgrade until yet)
    Traffic from (A) to (B) is running fine, but the traffic from (B) to (A) stops after a specific amount of data (ex: scp stops at 132KB).

    We played around with MTU, but nothing helps.
    The problem looks pretty nearly exactly like this thread (http://forum.pfsense.org/index.php/topic,963.0.html),
    but we do not have any D-Link, pure pfSense :)

    I do not have any idea, could some light a fire for me, pls? :)

    Greetings,
    Marcel

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Mar 14, 2007, 5:54 PM

      Sorry to say it but you HAVE to find time to upgrade. Newer versions of pfSense run a newer FreeBSD and even newer IPSECTOOLS. Not to mention that thousends of lines of codes have changed. Try the latest snapshot (it has IPSEC filtering now too, so you might have to create pass any rules at firewall>rules, ipsec after upgrading though we usually install them on upgrade from older versions that didn't have that feature automatically).

      Searching for a bug in this config is like riding a dead horse as the bug might already be solved.

      1 Reply Last reply Reply Quote 0
      • M
        marzl
        last edited by Mar 14, 2007, 6:35 PM

        You are right, we will upgrade tommorrow evening.
        Basicly this was the answer i want to hear :)

        Since we are running 1.0.1 on A, isn't it a bad idea to upgrade B to the latest snapshot?
        Upgrading A too is impossable because of 500 km between me and B ….

        Greets and thanks for your prompt response!

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by Mar 14, 2007, 7:55 PM

          You can try upgrading the one end first. As you have 2 wraps you could probably prepare a cf card with the new image and upload the remote end's config. Then send it over so it's just a plug'n'play action to upgrade and you even can revert back if things for whatever reason break.

          1 Reply Last reply Reply Quote 0
          • M
            marzl
            last edited by Mar 16, 2007, 10:58 AM

            Ok, some News: We have upgraded the RC3 to 1.0.1. Konfiguration was successfully imported and works great.
            But there are still some strange behaviors. Example:
            Copy a file via SCP from B to A works well, but vice versa it stop at 132 KB.
            But a copy from B to A between Windows 2003 Server works. XP not.

            Is this a matter of MTU? Where? Wich MTU has to be modified if it goes that way?
            Do you need additional informations from me? Any other idea?

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by Mar 16, 2007, 7:00 PM

              Try using smaller mtu's at interface>WAN at both ends. Start somewhere at 1300 and see if it works. If it does go up in steps until it breaks again and then go back one step.

              1 Reply Last reply Reply Quote 0
              • M
                marzl
                last edited by Mar 19, 2007, 10:35 PM Mar 19, 2007, 10:26 PM

                Unfortunately this doesnt help that much. I lowered the MTU on both sides to 1300 but the problem still exists.

                Maybe this is important:
                The WAN connections on both sides are fixed IP Adresses connected to somewhat transparent routers from the ISPs.
                We dont use PPPoE over her. Maybe the MTU have to be modified on this machines instead?

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by Mar 20, 2007, 1:40 AM

                  Shouldn't be a problem. If you only sent out 1300 size the routers/bridges in front won't inflate the packages to a larger size. Atm I have no other clues, sorry  :-\

                  1 Reply Last reply Reply Quote 0
                  • M
                    marzl
                    last edited by Mar 20, 2007, 7:54 AM

                    May i ask you if this is correct?
                    Client (MTU 1500) -> LAN (MTU 1500) -> IPSEC -> WAN (MTU 1300) -> INET <- WAN (MTU 1300) <- IPSEC <- LAN (MTU 1500) <- Client (MTU 1500)

                    1 Reply Last reply Reply Quote 0
                    7 out of 9
                    • First post
                      7/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.