Hi there,
In my configuration, I have IPSec running over a 6to4 tunnel between two sites (to reduce latency, rather than going to the main 6in4 tunnel and back)… I’ve found that when my PC tries to send large packets, the router sends back packet too big messages… the PC then sends back the same size packets, and eventually the connection dies.
Since 1280 is the smallest MTU that the router can advertise, does this mean IPSec over 6to4 is impossible? Or is there something I’m missing here…
Config as follows:
My end, where the client is
/certificate
set CA name=CA trusted=yes
/interface bridge
add admin-mac=D4:CA:6D:CC:67:61 auto-mac=no l2mtu=1598 name=bridge-local \
protocol-mode=rstp
/interface ethernet
set 0 name=ether1-TO_VDSL
set 1 name=ether2-TO_64T_OFFICE
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-TO_VDSL name=\
PPPoE_Internet password=xxxxxxxx user=xxxxxxxx
/interface 6to4
add local-address=<Local site WAN IP> mtu=1280 name="6to4 to Remote Site" remote-address=\
<Remote site WAN IP>
add local-address=<Local site WAN IP> mtu=1280 name=6to4-Internet remote-address=\
<6in4 internet gateway IP>
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256 pfs-group=modp1536
/interface bridge port
add bridge=bridge-local interface=ether2-TO_64T_OFFICE
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE_Internet
/ip ipsec peer
add address=<Remote site /48 prefix>:eeee::1/128 auth-method=rsa-signature certificate=\
<host certificate> dh-group=modp1536 \
enc-algorithm=aes-256 hash-algorithm=sha1 remote-certificate=none
/ip ipsec policy
add disabled=yes dst-address=<Remote site /64 prefix>::/64 sa-dst-address=\
<Remote site /48 prefix>:eeee::1 sa-src-address=<Remote site /48 prefix>:eeee::2 src-address=\
<Local site /64 prefix>::/64 tunnel=yes
add disabled=yes dst-address=<Remote site /48 prefix>::/48 sa-dst-address=\
<Remote site /48 prefix>:eeee::1 sa-src-address=<Remote site /48 prefix>:eeee::2 src-address=\
<Local site /64 prefix>::/64 tunnel=yes
/ip route
add distance=1 gateway=PPPoE_Internet
/ipv6 address
add address=<Local site /64 prefix>::1 interface=bridge-local
add address=<Local site WAN IPv6> advertise=no interface=6to4-Internet
add address=<Remote site /48 prefix>:eeee::2 advertise=no interface="6to4 to Remote Site"
/ipv6 firewall address-list
add address=<Local site /64 prefix>::/64 list=LAN-IPs
add address=<Remote site /48 prefix>::/48 list=IPSEC_REMOTE_NETS
add address=<Remote site WAN network>::/64 list=IPSEC_REMOTE_NETS
add address=<Remote site /64 prefix>::/64 list=IPSEC_REMOTE_NETS
add address=<Remote site /64 prefix>::/64 list=BCT_LAN
/ipv6 firewall filter
add action=drop chain=input connection-state=invalid
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-limit=5,5,src-and-dst-addresses protocol=icmpv6
add chain=input in-interface=bridge-local src-address-list=LAN-IPs
add chain=input in-interface=bridge-local src-address=fe80::/10
add action=jump chain=input jump-target=ipsec-input packet-mark=\
ipsec-encrypted src-address-list=IPSEC_REMOTE_NETS
add action=drop chain=input
add action=drop chain=forward connection-state=invalid
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward dst-limit=5,5,src-and-dst-addresses protocol=icmpv6
add chain=forward in-interface=bridge-local src-address-list=LAN-IPs
add action=jump chain=forward jump-target=ipsec-forward packet-mark=\
ipsec-encrypted src-address-list=IPSEC_REMOTE_NETS
add chain=forward dst-address=<Local site /64 prefix>::dead:beef:cafe/128 \
dst-port=80 protocol=tcp
add chain=forward dst-address=<Local site /64 prefix>::dead:beef:cafe/128 \
dst-port=13640 protocol=tcp
add chain=forward dst-address=<Local site /64 prefix>::dead:beef:cafe/128 \
dst-port=13640 protocol=udp
add action=drop chain=forward
add chain=ipsec-input dst-port=53 protocol=tcp
add chain=ipsec-input dst-port=8291 protocol=tcp src-address-list=BCT_LAN
add chain=ipsec-input dst-port=53 protocol=udp
add chain=ipsec-input dst-port=1701 protocol=udp
add action=drop chain=ipsec-input
add chain=ipsec-forward dst-address=<Local site /64 prefix>::dead:beef:cafe/128 \
dst-port=3389 protocol=tcp
add chain=ipsec-forward dst-address=<Local site /64 prefix>::dead:beef:cafe/128 \
dst-port=8080 protocol=tcp
add chain=ipsec-forward dst-address=<Local site /64 prefix>::dead:beef:cafe/128 \
dst-port=445 protocol=tcp
add action=drop chain=ipsec-forward
/ipv6 firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=ipsec-encrypted \
protocol=ipsec-esp
/ipv6 nd
set [ find default=yes ] advertise-dns=yes mtu=1280
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=<local site IPv6 Gateway>
add distance=1 dst-address=<Remote site WAN network>::/64 gateway=\
<Remote site /48 prefix>:eeee::1
add distance=1 dst-address=<Remote site /64 prefix>::/64 gateway=\
<Remote site /48 prefix>:eeee::1
add distance=1 dst-address=<Remote site /48 prefix>::/48 gateway=<Remote site /48 prefix>:eeee::1
Remote end, where the server is
/certificate
set CA name=CA trusted=yes
/interface ethernet
set 2 name="Port 3 To Switch"
set 3 name="Port 4 To DSL"
/interface pppoe-client
add disabled=no interface="Port 4 To DSL" name="PPPoE WAN prima" password=\
xxxxxxxx user=xxxxxxxx
/interface 6to4
add local-address=<local site public IP> name="6to4 to Remote site" remote-address=\
<remote site public IP>
add local-address=<local site public IP> mtu=1280 name=sit1 remote-address=\
<6in4 gateway to internet>
/interface vlan
add interface="Port 3 To AT Switch" l2mtu=1586 name="Internet Server DMZ" \
vlan-id=5
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256 pfs-group=modp1536
/ip ipsec peer
add address=<local site /48 prefix>:eeee::2/128 auth-method=rsa-signature certificate=\
<local site cert, CN=IP> comment="Remote Site" dh-group=modp1536 \
enc-algorithm=aes-256 hash-algorithm=sha1 remote-certificate=none
/ip ipsec policy
add comment="Remote Site" disabled=yes dst-address=<remote site /64 prefix>/64 \
sa-dst-address=<local site /48 prefix>:eeee::2 sa-src-address=<local site /48 prefix>:eeee::1 \
src-address=<local site /64 prefix>::/64 tunnel=yes
add comment="Remote Site" disabled=yes dst-address=<remote site /64 prefix>::/64 \
sa-dst-address=<local site /48 prefix>:eeee::2 sa-src-address=<local site /48 prefix>:eeee::1 \
src-address=<local site /48 prefix>::/48 tunnel=yes
/ip route
add distance=1 gateway="PPPoE WAN prima"
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT traffic on WAN interface" out-interface="PPPoE WAN prima
/ipv6 address
add address=<Local site WAN IPv6> advertise=no interface=sit1
add address=<local site /48 prefix>:eeee::1 interface="6to4 to Remote Site"
add address=<local site /48 prefix>:3::1 interface="Internet Server DMZ"
/ipv6 firewall filter
add action=drop chain=forward connection-state=invalid
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward protocol=icmpv6
add chain=forward in-interface="6to4 to Remote site" packet-mark=ipsec-encrypted
add chain=forward in-interface="Internet Server DMZ" out-interface=sit1
add action=drop chain=forward
add action=drop chain=input connection-state=invalid
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input protocol=icmpv6
add action=jump chain=input jump-target=ipsec
add action=drop chain=input
add chain=ipsec protocol=ipsec-esp
add chain=ipsec dst-port=500 protocol=udp
/ipv6 firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=ipsec-encrypted \
protocol=ipsec-esp
add action=mark-packet chain=prerouting dst-port=500 new-packet-mark=\
ipsec-encrypted protocol=udp
/ipv6 nd
set [ find default=yes ] mtu=1280
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=<local site WAN gateway>
add distance=1 dst-address=<remote site WAN network>::/64 gateway=\
<local site /48 prefix>:eeee::2
add distance=1 dst-address=<remote site /64 prefix>::/64 gateway=\
<local site /48 prefix>:eeee::2
Attached is a screenshot of wireshark, taken from my PC (the client). Green is the local /64 prefix, red is the remote /48 prefix
