IPSEC fails with files larger than 1400 bytes, PMTUD issue



  • Hi Guys,
    Have failed to get the following IPsec link to transfer any file that has 1400 bytes or more.
    Pfsense box Version 2.1.4-RELEASE (i386) is being used to connect to our office network so i can work from home.
    Office server is running openswan-2.6.32 on Centos 6.x
    Home system is running Centos 6.x
    ssh works in both directions, ipsec link has no other issues, link is very reliable.
    Pfsense Home system PMTUD set to 1300 have also tried 1200 and 1100 with no success.
    Fails with and without NAT-T enabled in IPsec

    All IP on office server and network are public.
    Loaded the Home Pfsense box with IPcop and found that the IPsec has no issues with large files.

    Home system –-- Pfsense ----- internet ---- Pfsense ------ Office server
    10.34.4.200 ---- Pfsense <------------- IPsec ------------> 203.xxx.xxx.xxx

    Tracepath from Home system to Office server Fails
    tracepath -n 203.xxx.xxx.x
    1:  10.34.4.200      0.274ms pmtu 1500
    1:  10.34.4.1        0.643ms  <--------------------Home Pfsense system
    1:  10.34.4.1        0.550ms
    2:  no reply

    Tracepath from Office server to Home system Works
    tracepath -n 10.34.4.200
    1?: [LOCALHOST]    pmtu 1464
    1:  203.xxx.xxx.1      0.088ms pmtu 1446
    1:  203.xxx.xxx.1      0.096ms pmtu 1438
    1:  no reply
    2:  10.34.4.200      76.198ms reached
        Resume: pmtu 1438 hops 2 back 63

    There are no errors in the Firewall logs.
    Looks like the Pfsense slide fails to do PMTUD is this a bug??

    Would really appreciate any suggestions as i have run out of ideas.

    thanks
    markl