Checksum errors and poor performance.
-
I have two boxes running pfSense 2.0 with a persistent IPsec tunnel between them. These boxes are peers on my test bench network (192.168.11.0 /24). I use a workstation on one network (192.168.0.0 /24) to manage a Hyper-V server on the other network (192.168.215.0 /24). Hyper-V Manager runs terribly slow. Accessing shared folders through the tunnel is also very slow. A packet capture on the IPSEC interface shows checksum errors.
13:58:25.033643 (authentic,confidential): SPI 0x08cff550: (tos 0x0, ttl 127, id 14061, offset 0, flags [none], proto TCP (6), length 576, bad cksum a942 (->aa42)!)
192.168.215.10.49154 > 192.168.0.45.1701: Flags [.], cksum 0xfa5f (correct), seq 537:1073, ack 192, win 512, length 536In every instance, the checksum is off by 0x0100. I must have done something wrong, but I'll be damned if I can figure it out. Am I even on the right track?
I've attached a screenshot of my IPsec configuration.
-
Solved
System > Advanced > Misc. > Enable MSS clamping on VPN traffic
The problem was already large RPC packets becoming too large as a result of IPsec encapsulation. After reducing the WAN mtu and messing up all my connections, a colleague suggested I try this setting. It works great with the default value of 1400.
Hopefully this helps someone.