When you say to adjust the MTU on the server, forgive the question, but which server?
Thanks, -Marty -----Original Message----- From: Adam Armstrong [mailto:[email protected]] Sent: Friday, March 27, 2009 2:14 AM To: [email protected] Subject: Re: [pfSense Support] Is there any reason I can't Remote desktop through an ipsec tunnel? Marty Nelson wrote: > > I have an IPSec tunnel connecting my network to one of our customer > sites, and while I can ping a computer on their network I am unable to > remote desktop to. Currently all of our customer tunnels are setup to > terminate in our DMZ to limit access back into our network. I have a > second firewall (monowall) in our DMZ that then routes all traffic out > through the tunnel. I've drawn a rudimentary layout of how it's setup > (see below). > > I have the IPsec rules to pass all traffic, and currently I have it > setup to log all traffic as well. What's strange is that when I > attempt to remote desktop to it, I see no traffic relating to that at > all. Nothing passing, nothing getting blocked. Like I said, I can ping > the box just fine (and it shows up in the log), but I am unable to > remote desktop to it and I don't see anything getting blocked, or passed. > > Hopefully this made sense. If it's unclear, please let me know and > I'll try my best to clear it up. > > LAN (192.168)---[pfSenseFW]---DMZ (10.100)---[monowall]---[ipsec > tunnel to cust site]---Cust site > I would say that it's almost certainly MTU-related. RDP always seems to be the first thing hit by a failure of the pmtud mechanism to work. The IPSEC tunnel will be reducing your MTU, and when the RDP server tries to send out a packet it'll get dropped. Try reducing the MTU of the interface of the server? This usually manifests itself by the login screen background appearing (presumably because it fits into < 1492 bytes), but then nothing more. Doesn't sound exactly like what you're seeing, but RDP + IPSEC issues are usually MTU-related IME. adam. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
