Packet fragmentation / MTU issue with site-to-site VPN tunnel

rdlehner · September 12, 2017, 5:56pm

Hello,

I am struggling with a site-to-site VPN tunnel between two RB3011. Ping of hosts between subnets is fine, RDP connection hangs after authentification with black screen. Seems to be a problem with fragmentation/MTU
I have similar configurations running for years between several Routerboards.

Configuration is as following:

RouterOS 6.40.3 on both RBs

Peer configuraiton:

address=1.1.1.1/32 local-address=2.2.2.2 auth-method=pre-shared-key secret="thepassword" generate-policy=port-override policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no 
       proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256,aes-128 dh-group=modp1536 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

Proposal:

name="myproposal" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024

Policy

src-address=10.10.10.0/24 src-port=any dst-address=10.10.20.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=myproposal ph2-count=1

and of course NAT-bypass-rules in firewall, together with corresponding “mirrored” entries on the other side. Tunnel is up.

I have set DF removal as suggested in http://gregsowell.com/wp-content/uploads/2009/12/GregSowell-mikrotik-vpn1.pdf in slide 59

Also tried MSS clamping as of http://stevedischer.com/pmtu-and-mss-discovery-issues-resolved-with-mikrotik/ with different lower values, from 1314 to 1250
Trying a ping -f -l brings 1314 as largest size when ping is OK.

Any help is very appreciated.

Thank you in advance,
Ralf
Vienna/Austria

idlemind · September 13, 2017, 10:44pm

You shouldn’t have to do the DF bit adjustment. At best that just hides a broken configuration.

Think about how the MTU of a path changes and ensure that each layer 3 device can perform fragmentation as needed and in the case of traffic that is set to DF ensure the receiver is able to send an ICMP too big message successfully back to the sender. This message tells the sender of a DF packet to make it smaller.

Ensure your MTU is set to a size of 40 bytes larger than your MSS adjustment.

Side note with a policy based VPN the source IP of ICMP too big messages on the router may not be sourced from an IP you’d expect.

rdlehner · September 18, 2017, 7:00pm

Thank you very much for your input. Sorry for my late reply.

If I get it right, I should have a look on how the two Routerboards can reach each other via ICMP, and that there is no manual fragmentation.
I will check and give feedback. Thanks again!

rdlehner · September 19, 2017, 8:48am

I solved my problem.(after another short night

I disabled Fasttrack in the filter rules of the firewall, and now RDP connection, and also accessing CIFS shares, are working like a charm with excpected behavior/speed.

Thanks again idlemind, I also read some of your earlier posts regarding similar issues.

idlemind · September 19, 2017, 12:37pm

Excellent to hear! Gotta love that the forums have all of our old posts and are searchable! I’ll have to add Fast Track to my list of IPSec troubleshooting too. I wonder if you just accept the traffic sourced / destined for the VPN ahead of the fast track rules you’d be ok. I have to really dive into Fast Track. Always something to learn.

Darthan · January 4, 2019, 1:29pm

I know this post is old, but this help me A LOT

Disabling Fasttrack rule in fileter rules fix the issue in vpn IPSEC

thanks!