IPsec MTU issues - pfsense has advanced MTU settings but not opnsense?

Started by TheLinuxGuy, May 16, 2021, 10:29:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 16, 2021, 10:29:37 AM
I'm having MTU issues (unable to load websites - dell remote management) over the IPsec tunnel. I have lowered the MTU and MSS settings on my LAN but still facing issues - if I reboot the opnsense it will work for a few minutes so it seems some traffic may respect MSS but then stops working.

pfsense seems to have special settings under IPsec for this condition per https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/advanced.html

other opnsense users seem to have reported the same issue without resolution: https://forum.opnsense.org/index.php?topic=17881.0

any idea what can be done?
May 16, 2021, 01:46:57 PM #1
Interfaces : LAN : MSS, set to 1300.
May 16, 2021, 02:14:14 PM #2
Quote from: mimugmail on May 16, 2021, 01:46:57 PM
Interfaces : LAN : MSS, set to 1300.

This is exactly what I had configured and was having issues.

I ended up being able to implement a workaround.

Firewall > settings > Normalization

Added a rule:
- Interface "IPsec"
- source any
- dest any
- max MSS set to 1350

Restored LAN to have no MSS. So far its been stable for the past hour and I am uploading a large file.
May 16, 2021, 04:30:19 PM #3
This doesnt makes sense as the IPsec overhead is 40 bytes, so 1300 should be fine
Print
Go Up Pages1
User actions