Re: [pfSense Support] IPSec tunnel and Remote Desktop

Sun, 16 Oct 2005 13:33:00 -0700 

Scott Ullrich wrote:


I access SQL, RDP and many other items through my ipsec tunnel and I
never change the MTU on the client.   Thats a bad idea.    The
solution is to find out why the packets are getting frag'd.   Active
directory traffic does not work across my IPSEC tunnell but RDP and
friends surely do.   I would say there is something else causing the
fragmentation. 


I'm coming a bit late into this one, but it still seems to be outstanding. 

Fragmentation isn't the issue at all.  Modern OS's use PMTUD to discover 
the largest MTU of the path, if it's less than their MTU.  Racoon (or 
FreeBSD, more likely) breaks PMTUD with IPsec because it doesn't take 
the IPsec overhead into account.  So packets end up larger than the 1500 
or 1492 MTU on the WAN and just disappear.  What should happen at that 
point is pfsense should send back a "frag needed, DF bit set" message, 
which causes the host to retry with a smaller MSS.  Some commercial 
VPN's (Cisco client in particular) will avoid this altogether because it 
can be easier that way, by automatically fragmenting packets that are 
too big.  That's with the Cisco client VPN, their site to site VPN takes 
IPsec overhead on PMTU into account appropriately. 

OS's with PMTUD enabled by default (virtually everything in use today) 
won't fragment packets, they'll set the DF bit on everything, expecting 
the "frag needed, DF bit set" reply part of PMTUD to work.  ICMP is an 
exception to this, generally, in situations like with MS AD where it 
needs a 2000 byte ICMP echo request and reply to determine link speed 
(which is ridiculous, but regardless...).  DF is generally not set by 
default on ICMP (at least on Windows). 

While this doesn't always happen, and doesn't happen to everyone, it's 
most definitely an issue.  Lowering the client MTU is the only way to 
resolve it at this point.  I don't know what the cause is, but it's an 
issue as described above with both m0n0wall and pfsense. 




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]















    











					Reply via email to