-
Notifications
You must be signed in to change notification settings - Fork 714
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Route-based IPsec / big packets / fragmentation not working correct #3542
Comments
Something strange happens: from my firewall I can ping with 1700 bytes the remote firewall and host in the remote network. But from the remote firewall I can only ping with 1700 bytes the local firewall. Hosts are not pingable. |
The big pings are all logged with IPsec as interface. The smaller ping to the same destinations are logged with the vti_ interface. |
Any suggestions where I can dig deeper into? I have done further test from my local LAN to several remote LANs. All connected via VPN and all gateways are OPNsense machines. In every policy-base connection the big packet 1700 bytes is written als one packet in the log with 1728 bytes as input on the IPsec interface and with 1728 bytes as output on the LAN interface. And I get response from the destination machine. With all route-based connections I can see the input fragmented on the IPsec interface as two packets and as one packet with 1728 bytes on the LAN interface as output. I don't know what form this packet finally has at the destination machine, but I do not get any answer from there. I can ping with 1700 all remote OPNsense interfaces on all ends from all LANs and from all OPNsense. But not the LAN behind them in route-based configuration. What is the difference in the packet forming between route- and policy-based IPsec? |
When I deactivate the complete packet filtering in the "Advanced Settings" of the firewall, everything works. I have tried to deactivate all set rules, but this did not have the same effect. Any idea where to look? |
Anything set in Firewall -> Settings -> Normalisation? a copy of the ruleset |
No normalisation set. I have tried to switch off scrub. But this didn't help with SIP communication. The rules.debug is nearly 300 lines long. May I send you this via Mail? Too many IP addresses to remove... |
ok, let's focus on settings and scrub first then:
this is likely a configuration issue, I rather keep the exchanged content online within community support time. When disabling scrub, did the ping work as expected? there could be multiple issues, so best to step by step here. |
set limit table-entries 1000000 |
Yes, when scrub was disabled I could ping with 1700 through the local firewall |
ok, when considering this situations (with scrub enabled as it is now):
can |
Yes, And I can see the incoming icmp packet in the firewall log of |
can you share ifconfig output (with obfuscated addresses)? |
VTI of
|
from all related interfaces (lan, wan, tunnel) |
LAN:
WAN:
|
the 1400 on ipsec8000 is very likely an issue now without mss clamping configured |
These were the standard values from the system. Any suggestions for MTU and MSS fix? |
can you try to set mss on ipsec8000 to anything lower then 1400? |
MSS only works for TCP, normally MTU should be received from parent interface, but no idea how to realize. |
@mimugmail you're right, my mistake. just out of curiosity, could you reproduce the ping large packet issue on your end? Personally I would expect that switching off scrubbing should keep the normal behaviour. Maybe the better question to @jroehler23 is if the large packet ping works when scrub is disabled. |
I can test next week. Normally, when ICMP is allowed in every direction correctly, PMTU discovery should take care of (when DF bit not set) |
ok, thanks in advance. |
#3327 could be related. Worth a test to disable pf completely and check If it works. Perhaps some auto rules etc. prohibit ICMP messages (or sysctl) |
I think @jroehler23 mentioned it worked with pf disabled, which leaves scrubbing or filtering as most likely candidates. The new version (19.7) should also show these internal rules in the overview, for now they should generate log entries when logging is enabled if I'm not mistaken. |
I can confirm that large ping and the SIP signalization from the remote LAN is working when pf is deactivated. With scrubbing disabled I can ping with large packet, but not really stable. When I try to SIP call the remote location from outside (public phone number), neither the ping is working the same time I am calling, nor the SIP is passed from the remote LAN to the telephone server in the local LAN. But it seams to use and block to VPN tunnel with its packets. |
New experience: After a reboot the large pings are working! BUT: not from the beginning! I have to ping at least once with a normal size ping (e.g. 32 bytes). When I try to ping direct with 1700 bytes it is still not working. |
And I have to keep pinging with small packets. I have waited now for 40 minutes and cannot ping with 1700 bytes. I have to ping first with a small packet, then the big ping is working again. The tunnel is up and routed all the time. It is getting stranger and stranger... |
Next watching: after 24 hours the LAN at the remote site is not reachable any more. Even via ssh connection to the remote OPNsense - no ping to any host in the remote LAN is possible. I have tried to reload services or to deactivate the complete pf. No change. But the tunnel is still active, routes are set and both endpoints are reachable. Also the LAN address of the remote OPNsense is reachable. Clients in the WLan or other networks there are reachable via ping from the remote OPNsense. After a reboot of the remote sense, the remote LAN is reachable again. Any hint where to look, to get rid of this behavior? I am confused... |
Unfortunately not, it could be some other network or configuration issue, it's a complex world. Within the boundaries of community support I'm afraid I can't help you at the moment. If someone can isolate a specific issue which we can reproduce on our end, I'll gladly take a look. |
I'm seeing a similar problem with my roadwarrior setup. |
So this evening I started a test with a complete new installation and did the complete configuration by hand from the scratch. A lot of stupid work, but it was worth it: now the fragmentation issue is gone. I have absolute no idea why this happend. From my side we can close this. |
Same here, no Idea what can help. |
On 23.7? Freebsd 13.2 adds PMTU support for ipsec, maybe it helps to frag packets before loosing them |
Hi Michael, its 23.1.6. |
upgraded to 23.7, behaviour still same. |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
[X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
[X] I have searched the existing issues and I'm convinced that mine is new.
Describe the bug
I have changed a working policy-based VPN connection to a route-based. After the change ping, normal traffic, DNS, ... everything is working fine, except SIP and bigger packets. The SIP router on the remote end network sends for call signalization a big packet (1500 bytes). In the policy-based configuration everything worked fine, so here is not the problem.
I've checked the firewall log on the remote end and there you can see lots of normal packet directed to the vti interface from the SIP router (192.168.202.202). These packets are reaching me on the local side (192.168.200.20) - fine. But you can also see also some fragmented UDP packets directed to the IPsec interface. This also happens when I try to send pings with 1400 or 1450 bytes.
When I try to ping with DF flag, the ping is rejected. But without it is lost.
I have tried to change the MTU of the vti interface. This has an effect to the DF flag of my ping. But does not help with the fragmentation problem.
To Reproduce
Connect two host over the internet with route based IPsec and try to ping over the VPN with 1450 bytes.
Expected behavior
Packtes should be fragmented and put correct together again.
Screenshots
Relevant log files
If applicable, information from log files supporting your claim.
Additional context
Add any other context about the problem here.
Environment
OPNsense 19.1.9-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019
The text was updated successfully, but these errors were encountered: