Re: [pfSense] Header Checksum 0x0000 over IPsec VPNs

Mon, 03 Dec 2012 19:48:40 -0800 

Ok so I enabled the MSS clamping at the default,
        I had already disabled the local firewalls on all three AD machines and 
still no dice. I'll kill this thread if you think it's not related to the PF. 
Thanks again Chris.

    -W


On Mon, Dec 3, 2012 at 6:08 PM, Wade Blackwell <[email protected]> 
wrote:
> Thanks Chris ill check it out.
> 
> Wade Blackwell
> Solutions Architect
> (D) 805.457.8825 X998
> (C) 805.400.8485
> 
> On Dec 3, 2012, at 6:03 PM, Chris Buechler <[email protected]> wrote:
> 
> > On Mon, Dec 3, 2012 at 5:57 PM, Wade Blackwell <[email protected]> wrote:
> >> Good afternoon all,
> >>        So I have 3 sites in a full mesh IPsec VPN. 2 of those sites are PF
> >> 2.1-BETA0 (nov 1) and the other is m0n0wall 1.33. Tunnel that is currently
> >> affected traverses one PF and the m0n0. I have disabled hardware checksum
> >> offload, hardware TCP segmentation offload and hardware large receive
> >> offload. I'm seeing a high number of the 0x0000 checksums (50+ percent) and
> >> I believe this is causing an AD domain join to fail over the VPN. No 
> >> traffic
> >> filtering over the tunnels or on the interfaces where these hosts live, 
> >> wide
> >> open between one another. Packet capture attached, any insight would be
> >> fabulous. Thanks all.
> >
> > The direction that has null checksums is normal for hardware checksum
> > offloading being enabled, from that capture it's not actually
> > disabled. I suspect that's not a problem at all. It's far more likely
> > you're having issues because of large packets not getting through.
> > Enabling MSS clamping on the VPN traffic (System>Advanced in pfSense,
> > impossible to do in m0n0wall but as long as it's only one endpoint
> > that may be ok) will work around such scenarios. If that's not it, my
> > next guess is Windows firewall, or an AD DNS problem.
> > _______________________________________________
> > List mailing list
> > [email protected]
> > http://lists.pfsense.org/mailman/listinfo/list



-- 
Wade Blackwell
Cell  - 805.400.8485
Desk  - 805.457.8825 X998
Skype - CoC.WadeBlackwell


_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list

Reply via email to