Author Topic: IPsec MTU issues - pfsense has advanced MTU settings but not opnsense? (Read 9119 times)

TheLinuxGuy · « **on:** May 16, 2021, 10:29:37 am »

I'm having MTU issues (unable to load websites - dell remote management) over the IPsec tunnel. I have lowered the MTU and MSS settings on my LAN but still facing issues - if I reboot the opnsense it will work for a few minutes so it seems some traffic may respect MSS but then stops working.

pfsense seems to have special settings under IPsec for this condition per https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/advanced.html

other opnsense users seem to have reported the same issue without resolution: https://forum.opnsense.org/index.php?topic=17881.0

any idea what can be done?

mimugmail · « **Reply #1 on:** May 16, 2021, 01:46:57 pm »

Interfaces : LAN : MSS, set to 1300.

TheLinuxGuy · « **Reply #2 on:** May 16, 2021, 02:14:14 pm »

Quote from: mimugmail on May 16, 2021, 01:46:57 pm

Interfaces : LAN : MSS, set to 1300.

This is exactly what I had configured and was having issues.

I ended up being able to implement a workaround.

Firewall > settings > Normalization

Added a rule:
- Interface "IPsec"
- source any
- dest any
- max MSS set to 1350

Restored LAN to have no MSS. So far its been stable for the past hour and I am uploading a large file.

mimugmail · « **Reply #3 on:** May 16, 2021, 04:30:19 pm »

This doesnt makes sense as the IPsec overhead is 40 bytes, so 1300 should be fine

Author Topic: IPsec MTU issues - pfsense has advanced MTU settings but not opnsense? (Read 9119 times)

TheLinuxGuy

IPsec MTU issues - pfsense has advanced MTU settings but not opnsense?

mimugmail

Re: IPsec MTU issues - pfsense has advanced MTU settings but not opnsense?

TheLinuxGuy

Re: IPsec MTU issues - pfsense has advanced MTU settings but not opnsense?

mimugmail

Re: IPsec MTU issues - pfsense has advanced MTU settings but not opnsense?