"
Update:
I've today tested a different setup with another system (Raspberry) and again the policy-based Tunnel.
The same happens here, as soon as I send a package from a certain size, the tunnel itself stays up, but no data is sent through it. Even after changing the Interface MTU size to a very low number (1000), nothing changes in the specific behavior. The problem might be caused by the Mobile-Internet provider.
When I (without active VPN tunnel) lower the MTU on the interface, the "gap" still applies: For example, when Interface MTU is set to 1500, I am able send pings up to 1472. Proceeding lowering the MTU to 1472, I am able to send pings up to 1444:
ping 8.8.8.8 -M do -s 1445
PING 8.8.8.8 (8.8.8.8) 1445(1473) bytes of data.
ping: local error: message too long, mtu=1472
Anyone knows how I can fix this issue to get my VPN tunnel stable?
Another Update:
Seems to be an OPNsense Issue... I've "extended" my setup:
Site A, Modem <-> OPNsense 24.7.10_2-amd64 on FreeBSD 14.1-RELEASE-p6 (virtualized System) with a static public IP
Site B, SIM-Card Router and non-static, non-public (incoming) IP / behind NAT
<-> OPNsense 24.7.10_2-amd64 on FreeBSD 14.1-RELEASE-p6 (Zima-Board)
<-> additionally a Raspberry Pi with a policy-based IPsec Client
I am "able" to send large pings from my Raspberry, which tells me, that they are too large and can't be fragmented (but the tunnel keeps working properly)
If I send it from my Site-A OPNsense, the tunnel gets destroyed as well. So whenever the sending goes over the OPNsense's, it destroyes the tunnel.
I've even added esp_Frag and Fragmentation = yes via a custom config without any effect... normalizations didn't have any effect at all........
so any help regarding this OPNsense issue would be great :(
Last Update:
As noone was able to help and I'd wasted too much time on this issue, I switched to WireGuard S2S VPN Tunnel... which is a pitty as my clients use IPsec... but nevertheless, WireGuard works flawless
I've today tested a different setup with another system (Raspberry) and again the policy-based Tunnel.
The same happens here, as soon as I send a package from a certain size, the tunnel itself stays up, but no data is sent through it. Even after changing the Interface MTU size to a very low number (1000), nothing changes in the specific behavior. The problem might be caused by the Mobile-Internet provider.
When I (without active VPN tunnel) lower the MTU on the interface, the "gap" still applies: For example, when Interface MTU is set to 1500, I am able send pings up to 1472. Proceeding lowering the MTU to 1472, I am able to send pings up to 1444:
ping 8.8.8.8 -M do -s 1445
PING 8.8.8.8 (8.8.8.8) 1445(1473) bytes of data.
ping: local error: message too long, mtu=1472
Anyone knows how I can fix this issue to get my VPN tunnel stable?
Another Update:
Seems to be an OPNsense Issue... I've "extended" my setup:
Site A, Modem <-> OPNsense 24.7.10_2-amd64 on FreeBSD 14.1-RELEASE-p6 (virtualized System) with a static public IP
Site B, SIM-Card Router and non-static, non-public (incoming) IP / behind NAT
<-> OPNsense 24.7.10_2-amd64 on FreeBSD 14.1-RELEASE-p6 (Zima-Board)
<-> additionally a Raspberry Pi with a policy-based IPsec Client
I am "able" to send large pings from my Raspberry, which tells me, that they are too large and can't be fragmented (but the tunnel keeps working properly)
If I send it from my Site-A OPNsense, the tunnel gets destroyed as well. So whenever the sending goes over the OPNsense's, it destroyes the tunnel.
I've even added esp_Frag and Fragmentation = yes via a custom config without any effect... normalizations didn't have any effect at all........
so any help regarding this OPNsense issue would be great :(
Last Update:
As noone was able to help and I'd wasted too much time on this issue, I switched to WireGuard S2S VPN Tunnel... which is a pitty as my clients use IPsec... but nevertheless, WireGuard works flawless
