IPIP Tunnel: ping endpoint works, remote webpage does not

I have a 2011UAS-2HnD (6.13) and a 951G-2HnD (5.26) connected through an IP tunnel. On each mikrotik I can ping the other’s WAN IP address, IP tunnel address and the networks on either side. I’ve also setup IPSEC in transport mode to encrypt the tunnel packets. So far so good.

The remote site has a QNAP NAS which I can ping (and receive 100% replies) but when I try to open the management webpage of the QNAP I get the login page and then the tunnel crashes. I’ve kept the ping’s running and they immediately go to “request time-out” … Torch on the IP Tunnel interface shows that nothing is passing through.

At first I thought the QNAP crashed but I can’t ping anything else on the remote site. When I close the webbrowser and wait a minute the tunnel re-establishes and I can ping everything again.

The MTU size on the IP Tunnel interface is 1480, on the local and remote networks it is 1500. Changing the IP Tunnel MTU to 1500 still crashes the tunnel.

Any ideas/thoughts on what the problem might be or how to fix it?

Well let me answer my own post…

I thought I could use IPSEC in Transport Mode only because previously the Monowall in front did not like passing the IPSEC packets in Tunnel Mode and the connection never completed phase2. Latest release of monowall doesn’t seem to have this problem.

So changed updated the monowall and changed IPSEC from Transport to Tunnel mode. Monowall handles it now, tunnel is stable and the QNAP management pages load without a hitch.

Fixed. Although I am still curious as to why Transport Mode has the issues I describe. I can confirm it was not the Monowall because on the current version changing the IPSEC back to Transport Mode reproduces the problem.