Connected successfully to a Sonicwall TZ170 but…

cmb

Works fine for me too, but when I set the -f option (do not fragment) it fails.

when you set -f with anything over your MTU on a ping on Windows, it never leaves the NIC of the box (I've verified this with tcpdump on another host). Windows realizes "hey, I can't send this without fragmenting", and should give you "Packet needs to be fragmented but DF set." without the packet ever touching the network.

this is indeed not an issue any more with pings.

from my house to Scott's (this is even with m0n0wall on my end, a little strange that this now works…):

root@s2# ping -s 3000 10.0.250.1
PING 10.0.250.1 (10.0.250.1): 3000 data bytes
3008 bytes from 10.0.250.1: icmp_seq=0 ttl=63 time=236.648 ms
3008 bytes from 10.0.250.1: icmp_seq=1 ttl=63 time=241.168 ms
3008 bytes from 10.0.250.1: icmp_seq=2 ttl=63 time=229.937 ms

But ping is actually a different issue - that was FreeBSD b0rking somewhere on fragmented packets (I guess on the receiving end, based upon the above result).

But with stuff like this still happening regularly with things like RDP, TCP definitely still seems to be an issue. Off to see what I can figure out with that.

It really shouldn't frag any TCP like it does with ICMP as we've exhibited here, because on any host OS with PMTUD enabled, the DF bit will always be set on packets. You don't want any of your network devices frag'ing DF packets, and always want to completely avoid frags if at all possible.

cmb

@sullrich:

SHRUGS. I'm not sure what's going on here but it seems that this is no longer a problem (MTU path discovery)

you can't test that with ping, as when using a -f and packet larger than MTU, it never leaves the box (with Windows at least, can't say that I've tried any other OS). So this test doesn't tell us that the problem is resolved at all. it just shows us a somewhat related other stupid issue with IPsec isn't a problem anymore. I was thinking maybe there would be a way to use ping in another regard to further test this, but that doesn't seem to be the case either because of Windows stupidity.

HaloGray

@sullrich:

Do you have anything in the event viewer that pertains to this?

I just tried connecting without bitmap caching and have an error generated about a missing printer driver (unrelated but it's sort of a place holder).
Turned on bitmap caching and tried to re-connect. > Black screen again.
Disabled bitmap caching and re-connected successfully again to find the printer error repeat, with nothing inbetween the two events.

So the short answer here is… no.

Regarding Windows and ping being a poor test, I have a linux box in the house and I could get to the shell on my pfsense box itself to run some ping tests. That is if you would find it helpful to do so.

cmb

My Windows box is being dumb - can either/both of you try this and see what you get?

I was thinking, I should be able to send a ping packet at 1499 bytes (or something like that) with DF, and it should hit the network. It doesn't. I can't even send a 1300 byte ping with DF.

try a
ping -l 1300 -f 10.x.x.x

to something on your LAN and see what you get.

HaloGray

From windows it works fine:
C:\WINDOWS|► ping -l 1300 -f 192.168.0.1

Pinging 192.168.0.1 with 1300 bytes of data:

Reply from 192.168.0.1: bytes=1300 time<1ms TTL=64

sullrich

C:\Documents and Settings\GeekGod.SULLRICH>ping -l 1300 -f 10.0.0.26

Pinging 10.0.0.26 with 1300 bytes of data:

Reply from 10.0.0.26: bytes=1300 time=82ms TTL=63
Reply from 10.0.0.26: bytes=1300 time=82ms TTL=63

billm

@cmb:

@sullrich:

I'm still curious why I never need to do this. I connect to any machine across the pfSense tunnel and connect to RDP, etc.

Why is it different in this case?

That's one I've never figured out. :D I've also successfully run RDP and about everything else over VPN tunnels using m0n0wall and pfsense. Client side group policy processing is the only issue I can easily replicate, because it sends a 2000 byte ping to determine link speed for GPO processing purposes. Because this never gets a reply, the machine aborts group policy processing. You can disable this pretty stupid means of link speed testing via group policy (though it's kinda hard to apply a fix through group policy to machines that can't apply group policies ;) ) or a registry change.

But it's easy to see and replicate the problem. Do a "ping -l 1400 10.x.x.x" to something across the tunnel, and it'll work. Increase it to 1470 or something like that, and it won't. You should be able to ping our servers at BGN with any size packet you want (it'll frag, so only if you allow frags out your LAN). The same won't work over VPN once you get over 1460 or so (though I've also seen oddities where it worked up into the 1460's before the packets started disappearing, which is another oddity).

Works for me?

ping -s 1600 192.168.177.254

PING 192.168.177.254 (192.168.177.254): 1600 data bytes
1608 bytes from 192.168.177.254: icmp_seq=0 ttl=63 time=61.553 ms
1608 bytes from 192.168.177.254: icmp_seq=1 ttl=63 time=31.591 ms
1608 bytes from 192.168.177.254: icmp_seq=2 ttl=63 time=33.823 ms

–Bill

lsf

CMB you are correct about assuming that you should be able to send 1499 (1500 actually) while the DF bit is set. Most likely you have run some internet tuning software or somthing that has been playing with some TCP settings. Because you should indeed be able to ping -f -s 1492 host.to.ping (should become 1500 bytes when you add the 8 byte overhead) so you should receive a 1500byte ping reply.
Sidenote: IIRC there was some PMTU discovery fix on FBSD not long ago. (last week or this week).

HaloGray

I went over to my linux box and pinged a host on the lan and then vpn.

$ ping -s 1492 192.168.0.3
PING 192.168.0.3 (192.168.0.3) 1492(1520) bytes of data.
1500 bytes from 192.168.0.3: icmp_seq=1 ttl=128 time=6.54 ms
1500 bytes from 192.168.0.3: icmp_seq=2 ttl=128 time=6.10 ms

LAN connection works.

$ ping -s 1492 10.50.1.1
PING 10.50.1.1 (10.50.1.1) 1492(1520) bytes of data.

–- 10.50.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1998ms

VPN does not. The MTU on my pfSense WAN connection is actually set at 1472, and pinging over the VPN from here succeeds at that level... so I'm confused. Any thoughts?

docjay

HaloGray, – You said that you successfully connected PfSense to a tZ170.. I would like to know how you did it. I 've been trying all day and I can only get the 1st proposal to negotiate & when it comes to the 2nd proposal, pfsense says that it failed to get the sa info.. I'm using 3DES, MD5 - Main mode with a liftime of 3600 for both proposals on each end of the tunnel & a shared secret. Also, I have PFS turned off on both ends. It sorta looks like the sonicwall might be sending the SA incorrectly.. in the logs below its stating that its loading the IPSec SA and doesn't do anything else with it. How is your sonicwall configured or do you have control of that end of the tunnel too like me? I am running PfSense 1.0.1 as of right now. I tried the latest snapshot and it wouldn't allow me to open any ports even though I could create the rules...firewall would just not let anything through, so I went back to 1.0.1

This wasn't an issue with monowall as the tunnel opened up the 1st time I configured it...I sorta thought it would be the same with pfsense... WRONG

Any light that you or anyone else can shine on this problem would be very helpful!! Thanks!

here is the log

PFSENSE Log:

Jan 27 19:15:44 racoon: INFO: respond new phase 2 negotiation: my public IP[500]<=>Sonicwall public IP[500]
Jan 27 19:15:35 racoon: ERROR: failed to pre-process packet.
Jan 27 19:15:35 racoon: ERROR: failed to get sainfo.
Jan 27 19:15:35 racoon: ERROR: failed to get sainfo.
Jan 27 19:15:35 racoon: INFO: respond new phase 2 negotiation: my public IP[500]<=>Sonicwall public IP[500]
Jan 27 19:15:31 racoon: ERROR: failed to pre-process packet.
Jan 27 19:15:31 racoon: ERROR: failed to get sainfo.
Jan 27 19:15:31 racoon: ERROR: failed to get sainfo.
Jan 27 19:15:31 racoon: INFO: respond new phase 2 negotiation: my public IP[500]<=>Sonicwall public IP[500]
Jan 27 19:15:30 racoon: INFO: ISAKMP-SA established my public IP[500]-remote endpoint IP[500] spi:298954413c2a7e57:bc05551c9144678a
Jan 27 19:15:30 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 27 19:15:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jan 27 19:15:30 racoon: INFO: begin Identity Protection mode.
Jan 27 19:15:30 racoon: INFO: respond new phase 1 negotiation: my public IP[500]<=>Sonicwall public IP[500]
Jan 27 19:14:20 racoon: ERROR: such policy already exists. anyway replace it: 172.25.47.0/24[0] 192.168.168.0/32[0] proto=any dir=out
Jan 27 19:14:20 racoon: ERROR: such policy already exists. anyway replace it: 172.25.47.1/32[0] 172.25.47.0/24[0] proto=any dir=out
Jan 27 19:14:20 racoon: ERROR: such policy already exists. anyway replace it: 192.168.168.0/32[0] 172.25.47.0/24[0] proto=any dir=in
Jan 27 19:14:20 racoon: ERROR: such policy already exists. anyway replace it: 172.25.47.0/24[0] 172.25.47.1/32[0] proto=any dir=in
Jan 27 19:14:20 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jan 27 19:14:20 racoon: INFO: 172.25.47.1[500] used as isakmp port (fd=20)
Jan 27 19:14:20 racoon: INFO: fe80::208:c7ff:fe45:b765%fxp0[500] used as isakmp port (fd=19)
Jan 27 19:14:20 racoon: INFO: fe80::208:c7ff:fe49:3a42%fxp1[500] used as isakmp port (fd=18)
Jan 27 19:14:20 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jan 27 19:14:20 racoon: INFO: 70.189.100.15[500] used as isakmp port (fd=17)
Jan 27 19:14:20 racoon: INFO: fe80::208:c7ff:feda:7856%fxp2[500] used as isakmp port (fd=16)
Jan 27 19:14:20 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jan 27 19:14:20 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)

SONICWALL LOG:

26 01/27/2007 19:15:44.368 Loading IPSec SA (Message ID = 0xf675449b, Local SPI = 0x79e8fb1f, Remote SPI = 0)
27 01/27/2007 19:15:35.352 Loading IPSec SA (Message ID = 0xf675449b, Local SPI = 0x79e8fb1f, Remote SPI = 0)
28 01/27/2007 19:15:30.912 RECEIVED<<< ISAKMP OAK INFO (InitCookie 0x298954413c2a7e57, MsgID: 0x99082F31) *(HASH, NOTIFY:INITIAL_CONTACT) my public IP, 500 (admin) 216.23.14.18, 500
29 01/27/2007 19:15:30.912 SENDING>>>> ISAKMP OAK QM (InitCookie 0x298954413c2a7e57, MsgID: 0xF675449B) *(HASH, SA, NON, ID, ID) Sonicwall public IP, 500 my public IP, 500
30 01/27/2007 19:15:30.912 IKE Initiator: Start Quick Mode (Phase 2). Sonicwall public IP, 500 my public IP, 500
31 01/27/2007 19:15:30.912 IKE Initiator: Main Mode complete (Phase 1) Sonicwall public IP, 500 my public IP, 500 3DES MD5 Group 2 lifeSeconds=3600
32 01/27/2007 19:15:30.912 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) *(ID, HASH) my public IP, 500 (admin) Sonicwall public IP, 500
33 01/27/2007 19:15:30.832 SENDING>>>> ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) *(ID, HASH) Sonicwall public IP, 500 my public IP, 500
34 01/27/2007 19:15:30.736 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) (KE, NON) my public IP, 500 (admin) Sonicwall public IP, 500
35 01/27/2007 19:15:30.640 SENDING>>>> ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) (KE, NON, VID, VID, VID) Sonicwall public IP, 500 my public IP, 500
36 01/27/2007 19:15:30.544 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal Sonicwall public IP, 500 my public IP, 500
37 01/27/2007 19:15:30.544 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) (SA, VID) my public IP, 500 (admin) Sonicwall public IP, 500
38 01/27/2007 19:15:30.464 SENDING>>>> ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) (SA, VID) Sonicwall public IP, 500 my public IP, 500
39 01/27/2007 19:15:30.464 IKE Initiator: Start Main Mode negotiation (Phase 1) Sonicwall public IP, 500 my public IP, 500

docjay

fixed my problem with my sonicwall tz170 & pfsense.. on the pfsense side of the tunnel, when I was entering in the remote subnet, I left the subnet class with the default of 32, when it should have been 24. When I changed that everything worked like it should! Imagine that..