OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: olest on March 30, 2021, 09:47:50 am

Title: MSS and IPSEC
Post by: olest on March 30, 2021, 09:47:50 am

Hi,

I have had a few new sites where I need to set MSS=1400 om LAN interface to get traffic through IPSEC tunnels.
Is that a "normal" problem?

Title: Re: MSS and IPSEC
Post by: juere on April 08, 2021, 07:03:17 am

I think it is, if one of your IPSEC Endpoints is using a MTU less than default 1500 and PMTU-Discovery is broken between endpoints. In all tunnels with one endpoint on our Hetzner servers I have to use use MSS=1300 as they are running with MTU 1400 due to Hetzner Virtual Switch VLAN's.

Title: Re: MSS and IPSEC
Post by: Ricardo on April 08, 2021, 07:55:06 pm

On opnsense router what metrics/counters indicate that my vpn tunnel speed problem happens because of MTU / fragmentation?

Title: Re: MSS and IPSEC
Post by: juere on April 08, 2021, 10:06:24 pm

In my experience MTU problems mostly manifest not as speed problems, but connections with larger paket sizes stalling. For example ping goes through, ssh hangs once you type 'ls' in a directory with many files :)

Title: Re: MSS and IPSEC
Post by: Ricardo on April 09, 2021, 01:44:57 pm

How about high amount of fragmentation due to tunnel MTU smaller than endpoint MTU, and the constant fragmentation/re-assembly that can kill throughput?

Title: Re: MSS and IPSEC
Post by: Aergan on April 10, 2021, 11:07:15 am

I set a Firewall normalisation rule for my IPSEC interface and set all traffic to Max MSS 1350 for that interface. That resolved it for my IPSEC tunnel to Azure (gleamed from their documentation).

Title: Re: MSS and IPSEC
Post by: Ricardo on April 12, 2021, 06:05:54 am

@Aergan: that "firewall normalisation" sounds plain chinese to me. What did you do exactly, any stepbystep guide to follow?