[ previous ] [ next ] [ threads ]
 
 From:  Mike Robison <mrobison at wts dot edu>
 To:  Michael Sierchio <kudzu at tenebras dot com>
 Cc:  Steven Nusser <jaguar11735 at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ssh over an ipsec site to site tunnel
 Date:  Wed, 25 Jan 2012 12:10:44 -0500
Being out of my depth at this point, I'm not sure how to test for this, or
on discovery, correct this.

On Wed, Jan 25, 2012 at 11:38 AM, Michael Sierchio <kudzu at tenebras dot com>wrote:

> Possibly - the behavior you describe is one I have seen when packets
> are not fragmented before encapsulation.  The NEED-FRAG ICMP error
> message doesn't get sent.
>
> On Wed, Jan 25, 2012 at 8:26 AM, Mike Robison <mrobison at wts dot edu> wrote:
> > Steven,
> >    That was a really interesting idea. And it makes sense. Sadly, I just
> > tried it and it doesn't seem to work for me. Just to make sure I
> understood
> > you correctly, I set up the following firewall rule on both firewalls:
> > <rule>
> >    <type>pass</type>
> >    <interface>wan</interface>
> >    <protocol>icmp</protocol>
> >    <source>
> >        <any/>
> >    </source>
> >    <destination>
> >        <any/>
> >    </destination>
> >        <descr>IPSec Path MTU Correction</descr>
> > </rule>
> > I don't know if the following impacts this, but earlier I turned on
> "Allow
> > fragmented IPSec packets" on both m0n0walls. Perhaps, by setting that, I
> > turned PMTUD off?
> > Mike Robison
> >
> > On Wed, Jan 25, 2012 at 11:03 AM, Steven Nusser <jaguar11735 at gmail dot com
> >wrote:
> >
> >> How is your firewall configured? In order for PMTUD (Path MTU Discovery)
> >> to function correctly, ICMP 'Destination Unreachable' messages must be
> >> permitted through the firewall. At least on my m0n0wall devices, I
> >> typically allow all ICMP traffic through, although you should have the
> >> option to only allow that specific ICMP type through. Setting this
> should
> >> allow your computer to detect the lower MTU of the IPSEC link, and send
> >> packets accordingly.
> >>
> >> --
> >> Steven C. Nusser
> >>
> >>
> >>
> >> On Wed, Jan 25, 2012 at 10:51 AM, Mike Robison <mrobison at wts dot edu>
> wrote:
> >>
> >>> Hi,
> >>>    I'm attempting to run an ssh connection over an ipsec site to site
> >>> tunnel and I'm running into MTU issues. I have a workaround that works,
> >>> but
> >>> it doesn't feel proper. I've got two m0n0wall's (v1.33) set up as the
> end
> >>> points in the ipsec tunnel, connecting two subnets. Running ifconfig on
> >>> either tells me that the MTU is at 1500. When I attempt to ssh from one
> >>> subnet to the other, the connection hangs when running commands like ls
> >>> -la
> >>> or ps aux. After some poking around, I found that both my ssh client
> and
> >>> server have their MTU set to 1500. I changed the client to 1440 and the
> >>> ssh
> >>> connection works like a charm. What I think is happening is this: The
> >>> ipsec
> >>> tunnel is not properly reforming the ssh packets at end of the tunnel,
> >>> thereby causing the ssh tunnel to collapse.
> >>>   Has anyone else discovered a better solution than modifying the MTU
> of
> >>> the ssh client? That is to say, is there a suggested way of ensuring
> the
> >>> ipsec tunnel properly reforms the packets in M0n0wall itself? Or do I
> >>> actually not understand what is going here?
> >>> Thanks,
> >>> Mike Robison
> >>>
> >>
> >>
>