Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Fragmented UPD not send over IPSEC tunnel
« previous
next »
Print
Pages: [
1
]
Author
Topic: Fragmented UPD not send over IPSEC tunnel (Read 10022 times)
jaco.vandenberg
Newbie
Posts: 8
Karma: 0
Fragmented UPD not send over IPSEC tunnel
«
on:
June 26, 2017, 05:17:17 pm »
Hi,
we are running IPSEC to a connect a site to a Fortigate firewall in the datacenter using a site-to-site VPN.
This works fine for normal client traffic (mostly RDP over TCP) .
It turns out however, that Fragmented UPD is not send from the Fortigate site to the opnsense site .
This used to worked fine when the opnsense was a m0n0wall firewall, , however as soon as ik bring down the m0n0wall and lanuch the opnsense, it stops working. Switching back to the M0n0Wall it works fine again, so it muist be a opsense thing, blocking fragmented UDP for some reason.
opnsense is the latest version.
Any ideas what's wrong ?
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Fragmented UPD not send over IPSEC tunnel
«
Reply #1 on:
June 26, 2017, 06:52:55 pm »
Firewall / Settings / Normalization
Tick IP Do-Not-Fragment and recheck.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
jaco.vandenberg
Newbie
Posts: 8
Karma: 0
Re: Fragmented UPD not send over IPSEC tunnel
«
Reply #2 on:
June 26, 2017, 08:56:30 pm »
Excellent !
I tried that, your suggestion did not work at first sight, however, in this menu:
Firewall: Settings: Normalization :
Detailed Settings,
i added a line for the IPsec tunnel with the "IP Do-Not-Fragment" setting. That improved things quite a bit !
Now it allows most packets through the tunnel . However a certain packet loss is observed when tested with iPerf.
So upstream there is no UDP packet loss (there never was), downstream there is about 20% packet loss.
When the do-not-fragment setting ïs disabled, all packets are dropped, so it DOES have positive effect on the problem, however, quite some packets still get lost.
That is strange, isn't it ?
«
Last Edit: June 26, 2017, 08:59:43 pm by jaco.vandenberg
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Fragmented UPD not send over IPSEC tunnel
«
Reply #3 on:
June 26, 2017, 10:14:45 pm »
Yep, but normally you should fix the fragmentation issue if possible, this would be best practice.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
bartjsmit
Hero Member
Posts: 2017
Karma: 194
Re: Fragmented UPD not send over IPSEC tunnel
«
Reply #4 on:
June 26, 2017, 11:28:51 pm »
Do you have the same MTU all along the path?
Bart...
Logged
jaco.vandenberg
Newbie
Posts: 8
Karma: 0
Re: Fragmented UPD not send over IPSEC tunnel
«
Reply #5 on:
June 27, 2017, 11:39:03 am »
did not check that, however TCP is flowing perfectly and the problem stays with very small MTU sizes (i.e. 400).
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Fragmented UPD not send over IPSEC tunnel
«
Reply #6 on:
June 27, 2017, 11:44:27 am »
When the problem stays with small MTU too your hardware is underpowered.
I also experienced issues when testing with IPerf some ASA 5515 routers, when it reaches the limit packets get dropped.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
IJH
Newbie
Posts: 1
Karma: 0
Re: Fragmented UPD not send over IPSEC tunnel
«
Reply #7 on:
June 28, 2017, 12:40:39 pm »
Have you modified the MTU on the Fortigate policy?
you can modify it per policy:
config firewall policy
edit xxx
set tcp-mss-sender 1436
You'll need to calculate the MSS and edit the 1436 number depending on what you're connected by on the interface the Fortigate is using for the IPSec tunnel.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Fragmented UPD not send over IPSEC tunnel
«
Reply #8 on:
June 28, 2017, 12:45:35 pm »
MSS is for TCP, the problem here are UDP packets
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Fragmented UPD not send over IPSEC tunnel