Page 1 of 1

Ipsec over PPPoE problem

Posted: Tue Oct 17, 2006 11:38 am
by darksideofthemoon
Hallo,
I've a problem with a IPsec tunnel that a client, behind a mikrotik wireless area, build with an internet host.

Here the scenario:

(client) --- (Ric522 pppoe-client) --- (RB532a pppoe-server) --- (internet)

The VPN goes up and the client can ping the vpn server and can establish a telnet connection with an host inside the vpn network, but some other protocols doesn't works... for example Windows "remote desktop" or a webmail in https protocol.

If I disable the pppoe client and set manualy the ip address, gateway and all the other stuffs on the Ric522 all works perfectly... so I think that the problem is in the PPPoE tunnel...

The firmware of both MT routers is 2.9.30.

Some ideas?
Someone have the same problem?

Greetings.

Posted: Tue Oct 17, 2006 11:42 am
by fatonk
I think you have a problem with fragmentation, MSS MTU, try tweaking the mss and mtu. Why is working without PPPOE, because with PPPOE you have the lower MTU, and without PPPOE the MTU is 1500 bytes.

Regards.

Faton

Posted: Tue Oct 17, 2006 4:17 pm
by darksideofthemoon
Thanks for the reply,

since now I've never modified MSS MTU... some hits? Where I must change it? in the RIC522 (client side) or in the RB532a (server side)?
And... in which interface? on the PPPoE server maybe?

/interface pppoe-server server print
[...]
max-mru=1480 max-mtu=1480
[...]

Greetings

Posted: Tue Oct 17, 2006 10:33 pm
by airstream
Hi there. Indeed it sounds to be the MTU size, change it to something smaller than the standard PPPoE size, then test the connection against sites that wont work if your MTU is wrong. One site I know of is Hotmail.com, if you click to login and your MTU is off, the login screen will never show, just hang in the browser. Good for testing

Posted: Wed Oct 18, 2006 9:17 am
by fatonk
You can configure it like this:

ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440

ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn,ack action=change-mss new-mss=1440


regards

Faton.