Re: [pfSense] ipsec packets in one direction are too big
On 10/28/2013 02:19 PM, compdoc wrote: >Any thoughts?? May not answer your question, but you did ask... I set up my first ipsec tunnel with pfSense and it has been wonderful, but I had to set System menu > Advanced > Miscellaneous tab > Enable MSS clamping on VPN traffic, and set it to 1375 before I got a stable connection. Before that SSH seemed to work, but VNC and RDP connections would just stall until I changed the setting. I read about using TCP-MSS to handle issues like this. I feel like this is just putting a hack together instead of fixing the actual problem.. thanks though ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec packets in one direction are too big
> Any thoughts?? May not answer your question, but you did ask... I set up my first ipsec tunnel with pfSense and it has been wonderful, but I had to set System menu > Advanced > Miscellaneous tab > Enable MSS clamping on VPN traffic, and set it to 1375 before I got a stable connection. Before that SSH seemed to work, but VNC and RDP connections would just stall until I changed the setting. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] ipsec packets in one direction are too big
Hi, I am stumped on this one. I have three sites. Each one connects to the other two via ipsec. I'm having an issue in only one direction, and I cannot figure out what is going on. To test, I am using the following ping command. ping -D -s 1472 Site A(10.1.0.1) - can ping site B and C with "-s 1472" Site B(10.2.0.1) - can ping site A with "-s 1472" - can ping site C with "-s 1410"Max. If I go higher, my ping reaches site C, but the reply doesn't make it back. Site C(10.3.0.1) - can ping site A with "-s 1472" - can ping site Bwith "-s 1410" Max. I ran tcpdump on Site C interface enc0, and sent a ping -s 1472 from Site B. tcpdump shows the ping coming in, and the reply going out. If I initiate a ping from site C, and runtcpdump on site B, I don't see anything coming in. Using public IP addresses (with no ipsec), Site C can then ping B with -s 1472. so I don't believe it is an MTU issu. Anythoughts?? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list