[ previous ] [ next ] [ threads ]
 From:  Michael Sierchio <kudzu at tenebras dot com>
 To:  Mike Robison <mrobison at wts dot edu>
 Cc:  Steven Nusser <jaguar11735 at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ssh over an ipsec site to site tunnel
 Date:  Wed, 25 Jan 2012 08:38:27 -0800
Possibly - the behavior you describe is one I have seen when packets
are not fragmented before encapsulation.  The NEED-FRAG ICMP error
message doesn't get sent.

On Wed, Jan 25, 2012 at 8:26 AM, Mike Robison <mrobison at wts dot edu> wrote:
> Steven,
>    That was a really interesting idea. And it makes sense. Sadly, I just
> tried it and it doesn't seem to work for me. Just to make sure I understood
> you correctly, I set up the following firewall rule on both firewalls:
> <rule>
>    <type>pass</type>
>    <interface>wan</interface>
>    <protocol>icmp</protocol>
>    <source>
>        <any/>
>    </source>
>    <destination>
>        <any/>
>    </destination>
>        <descr>IPSec Path MTU Correction</descr>
> </rule>
> I don't know if the following impacts this, but earlier I turned on "Allow
> fragmented IPSec packets" on both m0n0walls. Perhaps, by setting that, I
> turned PMTUD off?
> Mike Robison
> On Wed, Jan 25, 2012 at 11:03 AM, Steven Nusser <jaguar11735 at gmail dot com>wrote:
>> How is your firewall configured? In order for PMTUD (Path MTU Discovery)
>> to function correctly, ICMP 'Destination Unreachable' messages must be
>> permitted through the firewall. At least on my m0n0wall devices, I
>> typically allow all ICMP traffic through, although you should have the
>> option to only allow that specific ICMP type through. Setting this should
>> allow your computer to detect the lower MTU of the IPSEC link, and send
>> packets accordingly.
>> --
>> Steven C. Nusser
>> On Wed, Jan 25, 2012 at 10:51 AM, Mike Robison <mrobison at wts dot edu> wrote:
>>> Hi,
>>>    I'm attempting to run an ssh connection over an ipsec site to site
>>> tunnel and I'm running into MTU issues. I have a workaround that works,
>>> but
>>> it doesn't feel proper. I've got two m0n0wall's (v1.33) set up as the end
>>> points in the ipsec tunnel, connecting two subnets. Running ifconfig on
>>> either tells me that the MTU is at 1500. When I attempt to ssh from one
>>> subnet to the other, the connection hangs when running commands like ls
>>> -la
>>> or ps aux. After some poking around, I found that both my ssh client and
>>> server have their MTU set to 1500. I changed the client to 1440 and the
>>> ssh
>>> connection works like a charm. What I think is happening is this: The
>>> ipsec
>>> tunnel is not properly reforming the ssh packets at end of the tunnel,
>>> thereby causing the ssh tunnel to collapse.
>>>   Has anyone else discovered a better solution than modifying the MTU of
>>> the ssh client? That is to say, is there a suggested way of ensuring the
>>> ipsec tunnel properly reforms the packets in M0n0wall itself? Or do I
>>> actually not understand what is going here?
>>> Thanks,
>>> Mike Robison