Ipsec routing or NAT problem with VIP alias



  • hello folks,

    I'm a bit stuck and need some help.

    I need to create an IPSec tunnel to another foreign company. They want me to use a custom local network 172.16.13.0/24 which is different from my local network 192.168.0.0/24.

    So I created a VIP alias on the PFS LAN interface 172.16.13.1. (The PFS LAN interface ip is 192.168.0.252.)
    After that I was able to setup the IPSEC tunnel using the VIP subnet address as local subnet.

    The IPSEC tunnel connects without any problem - so far so good!

    Now I need to access their system with Ip address 10.34.12.7.

    From PFS Shell: ping -S 172.16.13.1  10.34.12.7 is reply - no problem.

    From PFS Shell: ping -S 192.168.0.252  10.34.12.7 is time-out - not possible.

    A ping from any client my local network 192.168.0.0/24 to the Pfs VIP 172.16.13.1 is reply.

    But a ping from any client in the local network 192.168.0.0/24 to 10.34.12.7 is time-out.

    Firewall log is not blocking traffic.

    Looks like  my PFS is not routing traffic from my LAN network to remote IP 10.34.12.7 using the VIP address 172.16.13.1 as NAT.
    I suggest that this company rejects traffic with network address 192.168.0.0 and only allowing 172.16.13.0/24 addresses.

    How can I tell my PFS to use 172.16.13.1 as NAT address from my local network 192.168.0.0 for traffic designated to network 10.34.12.0 over the IPSec tunnel? I maybe wrong so any suggest are welcome!

    The IPsec tunnel is stable so that's not the issue. I'm really stuck, tried everything but without any luck. I have a fine stable IPSec tunnel but need a hand to make it work for my internal network.

    Thanks.


  • Rebel Alliance Developer Netgate

    NAT+IPsec does not work that way.

    Actually it doesn't work at all on 2.0.x, and was only recently added to 2.1. On 2.1 you don't need the IP alias setup at all to do that.

    The way you set it up would work if you didn't use NAT, and just had a local client PC with an IP inside of the 172.16.13.x subnet.



  • @jimp:

    NAT+IPsec does not work that way.

    Actually it doesn't work at all on 2.0.x, and was only recently added to 2.1. On 2.1 you don't need the IP alias setup at all to do that.

    The way you set it up would work if you didn't use NAT, and just had a local client PC with an IP inside of the 172.16.13.x subnet.

    Hello,

    Well I'm running:

    2.1-BETA0 (i386)
    built on Wed Nov 14 10:56:57 EST 2012

    FreeBSD 8.3-RELEASE-p4

    If I don't create a VIP 172.16.13.1 on the LAN interface I am missing the connect VPN button in the Status - IPsec page.

    I did put a client in the VIP net using IP 172.16.13.5/24 and gateway 172.16.13.1. A ping to 10.34.12.7 show a stable reply and also fires up the IPSec VPN tunnel automatically if closed.

    It would be much appreciated if I don't have to change the client IP addresses from the network 192.168.0.0/24 to the 172.16.13.0/24 network.

    Also I did investigated a packed capture on the IPSec interface, showing a lot of bad chsum packets. A packet capture on the WAN or LAN interface never shows any bad ckum, this happens only on the IPSec interface. Any idea what that means?

    172.16.13.5 > 10.34.12.7: ICMP echo request, id 1, seq 177, length 40
    22:29:02.323489 (authentic,confidential): SPI 0x0016a61d: (tos 0x0, ttl 63, id 9955, offset 0, flags [none], proto ICMP (1), length 60)
        10.34.12.7 > 172.16.13.5: ICMP echo reply, id 1, seq 177, length 40
    22:29:03.319266 (authentic,confidential): SPI 0xbfad6f80: (tos 0x0, ttl 127, id 27284, offset 0, flags [none], proto ICMP (1), length 60, bad cksum ef (->1ef)!)
        172.16.13.5 > 10.34.12.7: ICMP echo request, id 1, seq 178, length 40
    22:29:03.323392 (authentic,confidential): SPI 0x0016a61d: (tos 0x0, ttl 63, id 9956, offset 0, flags [none], proto ICMP (1), length 60)
        10.34.12.7 > 172.16.13.5: ICMP echo reply, id 1, seq 178, length 40
    22:29:04.319274 (authentic,confidential): SPI 0xbfad6f80: (tos 0x0, ttl 127, id 27287, offset 0, flags [none], proto ICMP (1), length 60, bad cksum ec (->1ec)!)
        172.16.13.5 > 10.34.12.7: ICMP echo request, id 1, seq 179, length 40
    22:29:04.323410 (authentic,confidential): SPI 0x0016a61d: (tos 0x0, ttl 63, id 9957, offset 0, flags [none], proto ICMP (1), length 60)
        10.34.12.7 > 172.16.13.5: ICMP echo reply, id 1, seq 179, length 40
    22:29:10.719539 (authentic,confidential): SPI 0xbfad6f80: (tos 0x0, ttl 127, id 27358, offset 0, flags [DF], proto TCP (6), length 52, bad cksum c0a7 (->c1a7)!)
        172.16.13.5.62942 > 10.34.12.7.80: Flags , cksum 0xf4bf (correct), seq 1718038146, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
    22:29:10.723782 (authentic,confidential): SPI 0x0016a61d: (tos 0x0, ttl 63, id 0, offset 0, flags [none], proto TCP (6), length 52)
        10.34.12.7.80 > 172.16.13.5.62942: Flags [S.], cksum 0xeb7b (correct), seq 863231782, ack 1718038147, win 5840, options [mss 1400,nop,nop,sackOK,nop,wscale 7], length 0
    22:29:10.724017 (authentic,confidential): SPI 0xbfad6f80: (tos 0x0, ttl 127, id 27359, offset 0, flags [DF], proto TCP (6), length 40, bad cksum c0b2 (->c1b2)!)
        172.16.13.5.62942 > 10.34.12.7.80: Flags [.], cksum 0x02a0 (correct), seq 1, ack 1, win 16450, length 0
    22:29:10.724267 (authentic,confidential): SPI 0xbfad6f80: (tos 0x0, ttl 127, id 27360, offset 0, flags [DF], proto TCP (6), length 300, bad cksum bfad (->c0ad)!)
        172.16.13.5.62942 > 10.34.12.7.80: Flags [P.], cksum 0x729e (correct), seq 1:261, ack 1, win 16450, length 260
    22:29:10.728517 (authentic,confidential): SPI 0x0016a61d: (tos 0x0, ttl 63, id 25949, offset 0, flags [none], proto TCP (6), length 40)
        10.34.12.7.80 > 172.16.13.5.62942: Flags [.], cksum 0x41a8 (correct), seq 1, ack 261, win 54, length 0
    22:29:10.734702 (authentic,confidential): SPI 0x0016a61d: (tos 0x0, ttl 63, id 25950, offset 0, flags [+], proto TCP (6), length 1420)
        10.34.12.7.80 > 172.16.13.5.62942: Flags [.], seq 1:1381, ack 261, win 54, length 1380
    22:29:10.734715 (authentic,confidential): SPI 0x0016a61d: (tos 0x0, ttl 63, id 25950, offset 1400, flags [none], proto TCP (6), length 40)
        10.34.12.7 > 172.16.13.5: tcp
    22:29:10.734751 (authentic,confidential): SPI 0x0016a61d: (tos 0x0, ttl 63, id 25951, offset 0, flags [none], proto TCP (6), length 717)
        10.34.12.7.80 > 172.16.13.5.62942: Flags [F.], cksum 0xad6c (correct), seq 1401:2078, ack 261, win 54, length 677
    22:29:10.735013 (authentic,confidential): SPI 0xbfad6f80: (tos 0x0, ttl 127, id 27361, offset 0, flags [DF], proto TCP (6), length 52, bad cksum c0a4 (->c1a4)!)
        172.16.13.5.62942 > 10.34.12.7.80: Flags [.], cksum 0x98b9 (correct), seq 261, ack 1, win 16450, options [nop,nop,sack 1 {1401:2078}], length 0
    22:29:13.734640 (authentic,confidential): SPI 0x0016a61d: (tos 0x0, ttl 63, id 25952, offset 0, flags [+], proto TCP (6), length 1420)
        10.34.12.7.80 > 172.16.13.5.62942: Flags [.], seq 1:1381, ack 261, win 54, length 1380
    22:29:13.734654 (authentic,confidential): SPI 0x0016a61d: (tos 0x0, ttl 63, id 25952, offset 1400, flags [none], proto TCP (6), length 40)
        10.34.12.7 > 172.16.13.5: tcp


  • Rebel Alliance Developer Netgate

    The connect button is optional and only shows up when the firewall has an IP inside the local phase 2 network.

    Delete the IP Alias VIP. Then in your Phase 2 settings, make the local network your real local network, and in the NAT box underneath that, put in your NAT subnet. That should be all you need to do.



  • And since NAT before IPsec is a new feature (code committed to 2.1-BETA a few weeks ago), please provide feedback about how it works for you !



  • Hello,

    thanks a lot really appreciate your help.

    I deleted the VIP and made the changes to the Ipsec phase 2 settings. Ping from a client in 192.168.0.0/24 network to ip 10.34.12.7 fires up the tunnel and gives a reply. So far so good!

    Only I forgot to mention I have an other IPsec tunnen between a second location. Usually I can ping to the firewalls LAN address 172.31.0.1/24 in the remote location. But since I created the new IPSec tunnel to 10.34.12.0/24 I am unable to ping to 172.31.0.1. Having a look in the 172.31.0.1 firewall's log (happen to be also a Pfs) seems to be traffic for 172.31.0.0/24 is translated to the IPSec NAT rule 172.16.13.0 I created in the other IPSec tunnel phase 2 settings.

    Nov 15 10:50:32
    pf: 172.16.13.6 > 172.31.0.1: ICMP echo request, id 1, seq 37597, length 40
    Nov 15 10:50:32
    pf: 00:00:33.015203 rule 1/0(match): block in on enc0: (tos 0x0, ttl 126, id 15844, offset 0, flags [none], proto ICMP (1), length 60)

    So in the 172.13.0.1 Pfs I created a rule for IPSec allowing ICMP request and it's not blocked anymore but still no reply. Checked also the local firewall 192.168.0.252 log but no blocking.



  • Can you please update to a later snapshot or sync to the latest code and retry.
    I pushed some fixes for your situation.



  • hello,

    updated as you requested. Now running:

    2.1-BETA0 (i386)
    built on Thu Nov 15 06:47:38 EST 2012
    FreeBSD 8.3-RELEASE-p4
    You are on the latest version.

    Sorry to tell you updating didn't fix the problem. Ping from client in network 192.168.0.0/24 to remote location firewall's IP 172.31.0.1 still doesn't reply. Checking the remote firewall 172.3.0.1 still shows an incorrect source address 172.16.13.x.

    Ping from local network 192.168.0.0/24 to 10.34.12.7 is no problem.

    Packet capture IPSec interface shows bad cksum:

    18:47:39.428817 (authentic,confidential): SPI 0x20cb971b: (tos 0x0, ttl 126, id 27348, offset 0, flags [none], proto ICMP (1), length 60, bad cksum fa15 (->fb15)!)
        192.168.0.6 > 10.34.12.7: ICMP echo request, id 1, seq 37937, length 40
    18:47:39.432935 (authentic,confidential): SPI 0x07e640f2: (tos 0x0, ttl 63, id 41564, offset 0, flags [none], proto ICMP (1), length 60)
        10.34.12.7 > 172.16.13.6: ICMP echo reply, id 1, seq 37937, length 40
    18:47:40.430607 (authentic,confidential): SPI 0x20cb971b: (tos 0x0, ttl 126, id 27354, offset 0, flags [none], proto ICMP (1), length 60, bad cksum fa0f (->fb0f)!)
        192.168.0.6 > 10.34.12.7: ICMP echo request, id 1, seq 37938, length 40
    18:47:40.435219 (authentic,confidential): SPI 0x07e640f2: (tos 0x0, ttl 63, id 41565, offset 0, flags [none], proto ICMP (1), length 60)
        10.34.12.7 > 172.16.13.6: ICMP echo reply, id 1, seq 37938, length 40
    18:47:41.217841 (authentic,confidential): SPI 0x05694b99: (tos 0x0, ttl 127, id 39010, offset 0, flags [DF], proto TCP (6), length 41)
        172.31.0.12.4240 > 192.168.0.17.49156: Flags [.], cksum 0x4e6f (correct), seq 3941286065:3941286066, ack 1779273612, win 65203, length 1
    18:47:41.218103 (authentic,confidential): SPI 0x064d12c6: (tos 0x0, ttl 126, id 23158, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 3469 (->3569)!)
        192.168.0.17.49156 > 172.31.0.12.4240: Flags [.], cksum 0xc7f1 (correct), seq 1, ack 1, win 63454, options [nop,nop,sack 1 {0:1}], length 0
    18:47:41.415288 (authentic,confidential): SPI 0x064d12c6: (tos 0x0, ttl 126, id 23159, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 3473 (->3573)!)
        192.168.0.17.49156 > 172.31.0.12.4240: Flags [.], cksum 0x5544 (correct), seq 0:1, ack 1, win 63454, length 1
    18:47:41.432273 (authentic,confidential): SPI 0x20cb971b: (tos 0x0, ttl 126, id 27362, offset 0, flags [none], proto ICMP (1), length 60, bad cksum fa07 (->fb07)!)
        192.168.0.6 > 10.34.12.7: ICMP echo request, id 1, seq 37939, length 40
    18:47:41.435381 (authentic,confidential): SPI 0x05694b99: (tos 0x0, ttl 127, id 39011, offset 0, flags [DF], proto TCP (6), length 40)
        172.31.0.12.4240 > 192.168.0.17.49156: Flags [.], cksum 0x4e6f (correct), seq 1, ack 1, win 65203, length 0
    18:47:41.436383 (authentic,confidential): SPI 0x07e640f2: (tos 0x0, ttl 63, id 41566, offset 0, flags [none], proto ICMP (1), length 60)
        10.34.12.7 > 172.16.13.6: ICMP echo reply, id 1, seq 37939, length 40
    18:47:42.432940 (authentic,confidential): SPI 0x20cb971b: (tos 0x0, ttl 126, id 27377, offset 0, flags [none], proto ICMP (1), length 60, bad cksum f9f8 (->faf8)!)
        192.168.0.6 > 10.34.12.7: ICMP echo request, id 1, seq 37940, length 40
    18:47:42.437053 (authentic,confidential): SPI 0x07e640f2: (tos 0x0, ttl 63, id 41567, offset 0, flags [none], proto ICMP (1), length 60)
        10.34.12.7 > 172.16.13.6: ICMP echo reply, id 1, seq 37940, length 40

    Thanks so far.



  • Hello,

    currently I am on version:

    2.1-BETA0 (i386)
    built on Mon Nov 26 06:49:28 EST 2012

    FreeBSD 8.3-RELEASE-p5

    And the good news is I'm able to do a successfull ping from LAN 192.168.0.0/24 to both remote locations 172.31.0.1 and 10.34.12.7.

    But accessing a http relatated side at address http://10.34.12.7 from the LAN 192.168.0.0 is not possible. So I can do a succesfull ping to 10.34.12.7 but somehow http traffic is not possible (you can wait for ages/egg timer)
    Sure all the proper firewall rules must be correct.

    Any suggestions are welcome!

    Hereby the packet capture log when trying to access http://10.34.12.7 from LAN client Ip 192.1688.0.6 (no proxy):

    20:41:59.022456 (authentic,confidential): SPI 0xb0de308d: (tos 0x0, ttl 126, id 4654, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 12bf (->13bf)!)
        192.168.0.6.56377 > 10.34.12.7.80: Flags , cksum 0x292e (correct), seq 423123279, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
    20:41:59.026557 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 0, offset 0, flags [none], proto TCP (6), length 52)
        10.34.12.7.80 > 172.16.13.6.56377: Flags [S.], cksum 0x85df (correct), seq 3751990425, ack 423123280, win 5840, options [mss 1400,nop,nop,sackOK,nop,wscale 7], length 0
    20:41:59.026682 (authentic,confidential): SPI 0xb0de308d: (tos 0x0, ttl 126, id 4655, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 12ca (->13ca)!)
        192.168.0.6.56377 > 10.34.12.7.80: Flags [.], cksum 0x956b (correct), seq 423123280, ack 3751990426, win 16450, length 0
    20:41:59.027185 (authentic,confidential): SPI 0xb0de308d: (tos 0x0, ttl 126, id 4656, offset 0, flags [DF], proto TCP (6), length 307, bad cksum 11be (->12be)!)
        192.168.0.6.56377 > 10.34.12.7.80: Flags [P.], cksum 0xe6b6 (correct), seq 0:267, ack 1, win 16450, length 267
    20:41:59.031294 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 60328, offset 0, flags [none], proto TCP (6), length 40)
        10.34.12.7.80 > 172.16.13.6.56377: Flags [.], cksum 0xdc04 (correct), seq 1, ack 268, win 54, length 0
    20:41:59.040404 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 60329, offset 0, flags [+], proto TCP (6), length 1420)
        10.34.12.7.80 > 172.16.13.6.56377: Flags [.], seq 1:1381, ack 268, win 54, length 1380
    20:41:59.040422 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 60329, offset 1400, flags [none], proto TCP (6), length 40)
        10.34.12.7 > 172.16.13.6: tcp
    20:41:59.040430 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 60330, offset 0, flags [none], proto TCP (6), length 717)
        10.34.12.7.80 > 172.16.13.6.56377: Flags [F.], cksum 0x47c9 (correct), seq 1401:2078, ack 268, win 54, length 677
    20:41:59.040674 (authentic,confidential): SPI 0xb0de308d: (tos 0x0, ttl 126, id 4657, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 12bc (->13bc)!)
        192.168.0.6.56377 > 10.34.12.7.80: Flags [.], cksum 0xe838 (correct), seq 267, ack 1, win 16450, options [nop,nop,sack 1 {1401:2078}], length 0
    20:42:02.041168 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 60331, offset 0, flags [+], proto TCP (6), length 1420)
        10.34.12.7.80 > 172.16.13.6.56377: Flags [.], seq 1:1381, ack 268, win 54, length 1380
    20:42:02.041185 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 60331, offset 1400, flags [none], proto TCP (6), length 40)
        10.34.12.7 > 172.16.13.6: tcp
    20:42:03.026136 (authentic,confidential): SPI 0xb0de308d: (tos 0x0, ttl 126, id 4709, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 1294 (->1394)!)
        192.168.0.6.56377 > 10.34.12.7.80: Flags [R.], cksum 0xd49e (correct), seq 267, ack 1, win 0, length 0
    20:42:07.334926 (authentic,confidential): SPI 0xb0de308d: (tos 0x0, ttl 126, id 4747, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 1262 (->1362)!)
        192.168.0.6.56380 > 10.34.12.7.80: Flags , cksum 0x46f2 (correct), seq 3723851466, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
    20:42:07.339146 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 0, offset 0, flags [none], proto TCP (6), length 52)
        10.34.12.7.80 > 172.16.13.6.56380: Flags [S.], cksum 0x9cdd (correct), seq 4126852359, ack 3723851467, win 5840, options [mss 1400,nop,nop,sackOK,nop,wscale 7], length 0
    20:42:07.339401 (authentic,confidential): SPI 0xb0de308d: (tos 0x0, ttl 126, id 4749, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 126c (->136c)!)
        192.168.0.6.56380 > 10.34.12.7.80: Flags [.], cksum 0xac69 (correct), seq 3723851467, ack 4126852360, win 16450, length 0
    20:42:07.339646 (authentic,confidential): SPI 0xb0de308d: (tos 0x0, ttl 126, id 4750, offset 0, flags [DF], proto TCP (6), length 307, bad cksum 1160 (->1260)!)
        192.168.0.6.56380 > 10.34.12.7.80: Flags [P.], cksum 0xfdb4 (correct), seq 0:267, ack 1, win 16450, length 267
    20:42:07.343753 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17820, offset 0, flags [none], proto TCP (6), length 40)
        10.34.12.7.80 > 172.16.13.6.56380: Flags [.], cksum 0xf302 (correct), seq 1, ack 268, win 54, length 0
    20:42:07.353121 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17821, offset 0, flags [+], proto TCP (6), length 1420)
        10.34.12.7.80 > 172.16.13.6.56380: Flags [.], seq 1:1381, ack 268, win 54, length 1380
    20:42:07.353138 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17821, offset 1400, flags [none], proto TCP (6), length 40)
        10.34.12.7 > 172.16.13.6: tcp
    20:42:07.353147 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17822, offset 0, flags [none], proto TCP (6), length 717)
        10.34.12.7.80 > 172.16.13.6.56380: Flags [F.], cksum 0x5ec7 (correct), seq 1401:2078, ack 268, win 54, length 677
    20:42:07.353389 (authentic,confidential): SPI 0xb0de308d: (tos 0x0, ttl 126, id 4751, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 125e (->135e)!)
        192.168.0.6.56380 > 10.34.12.7.80: Flags [.], cksum 0xf1aa (correct), seq 267, ack 1, win 16450, options [nop,nop,sack 1 {1401:2078}], length 0
    20:42:10.353156 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17823, offset 0, flags [+], proto TCP (6), length 1420)
        10.34.12.7.80 > 172.16.13.6.56380: Flags [.], seq 1:1381, ack 268, win 54, length 1380
    20:42:10.353172 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17823, offset 1400, flags [none], proto TCP (6), length 40)
        10.34.12.7 > 172.16.13.6: tcp
    20:42:16.353146 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17824, offset 0, flags [+], proto TCP (6), length 1420)
        10.34.12.7.80 > 172.16.13.6.56380: Flags [.], seq 1:1381, ack 268, win 54, length 1380
    20:42:16.353166 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17824, offset 1400, flags [none], proto TCP (6), length 40)
        10.34.12.7 > 172.16.13.6: tcp
    20:42:28.354123 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17825, offset 0, flags [+], proto TCP (6), length 1420)
        10.34.12.7.80 > 172.16.13.6.56380: Flags [.], seq 1:1381, ack 268, win 54, length 1380
    20:42:28.354142 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17825, offset 1400, flags [none], proto TCP (6), length 40)
        10.34.12.7 > 172.16.13.6: tcp
    20:42:52.354955 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17826, offset 0, flags [+], proto TCP (6), length 1420)
        10.34.12.7.80 > 172.16.13.6.56380: Flags [.], seq 1:1381, ack 268, win 54, length 1380
    20:42:52.354972 (authentic,confidential): SPI 0x01d89470: (tos 0x0, ttl 63, id 17826, offset 1400, flags [none], proto TCP (6), length 40)
        10.34.12.7 > 172.16.13.6: tcp



  • I did an packet analysis using the Pfs captured packets on the IPsec tunnel interface and Wireshark and came to the conclusion packets were lost due to different MSS settings at the Pfs and the remote location. The mss settings on the remote location appeared to be 1400 and my mss is 1460. Changed the mss settings on the pfs Lan interface also to 1400 and now I'm able to browse the remote htpp page.
    So problem solved!


Locked