IPSec tunnel between Untangle and Cisco RV series- Can ping, VOIP works, can't browse

[JeffVCS]

In my continuing quest to get an IPSec tunnel working for a remote user I borrowed a Cisco RV110W from another firm, and was able to get the tunnel up and running just fine, thanks to the instructions on the Wiki and I have a VOIP phone is working great.

I can ping the main site by IP Address and DNS name from the remote site.

I can't get to file shares.

The server in question is a Windows 2012 file server, and the client PC is running Windows 7. From Windows if I browse to the UNC path I can't access anything, it acts like it's just taking longer than normal to get to the share, then nothing. No error message, no nothing. It's almost the the IPSec tunnel is extremely slow.

Is there some Untangle Firewall rule I'm missing when it comes to browsing shares across a VPN Tunnel?

[dmorris]

Random guess, but kinda sounds like a PMTU discovery issue.
Try manually lowering the MTU on your interface to 1450.

[jcoffin]

Check if Windows firewall is active on the Windows servers as that will block out of network connections.

[JeffVCS]

Super, I'll check both of those items and report back.

Took a couple days off unexpectedly, so I haven't had a chance to look.

[sky-knight]

Please be careful with the Windows firewall, disabling the service will put the firewall into lock down mode, not open mode. You must configure the thing to work, you can't just kill it.

You can turn it off in the control panel, or group policy, but again that is not disabling the Windows Firewall Service.

If you have active directory, just put the two IP networks into Sites and Services, then the domain profile will pass traffic naturally.

[JeffVCS]

Please be careful with the Windows firewall, disabling the service will put the firewall into lock down mode, not open mode. You must configure the thing to work, you can't just kill it.

You can turn it off in the control panel, or group policy, but again that is not disabling the Windows Firewall Service.

If you have active directory, just put the two IP networks into Sites and Services, then the domain profile will pass traffic naturally.

No worries on that, I'm a Windows and AD admin, I had just forgotten to check the Firewall configuration.

No luck on either of those fronts, changed the MTU on the Cisco RV110W and still have the same issue.

As a test case, before monkeying with anything else, I took a spare PC I have at home and installed PFSense on it, and that works just fine, network shares are available, everything works great. That's great for me, but I can't go stick that in my user's house.

So it's something specific to the tunnel between Untangle and the RV110W.

Another interesting note, remote desktop also fails to work through the IPSec tunnel when using the RV110W.

So, if I can get either the RV110W or a Mikrotik hEX working (Which aggravatingly I did have working, beautifully, but for only 10 - 20 minutes at a time) I'll be golden.

Fortunately, I have until July.

[JeffVCS]

Slight edit to that, remote destkop does work with the RV110W, but it just takes a long time to make the connection, in this case 3 minutes.

With PFSense it's almost instant.

So I surmise that eventually network shares would be available.

[JeffVCS]

Bingo!

I had neglected earlier to change the MTU on the Untangle side of things. Tried 1450 and it didn't work, the tunnel wouldn't even establish, so I arbitrarily picked 1490 and it worked. Which seems odd, one would think the smaller MTU would still work, but, who knows. Maybe it was a fluke.

[dmorris]

Great.

Yeah, sounds fishy.

In theory, PMTU discovery should work and you shouldn't have to change anything from the defaults.
A lot of testing with tcpdump and you could probably isolate the issue. Considering it works now, it may not be worth the time though....

[JeffVCS]

Great.

Yeah, sounds fishy.

In theory, PMTU discovery should work and you shouldn't have to change anything from the defaults.
A lot of testing with tcpdump and you could probably isolate the issue. Considering it works now, it may not be worth the time though....

Yeah, there's something still not quite right about it, it was up since my last post, a day and a half-ish, and dropped out sometime before noon today.

I rebooted the router on this end, and it was up for a couple hours, then it's out again.

Interesting though, on the earlier drop out (after the day and a half connection) the tunnel status didn't show up in Untangle's status for enabled IPsec tunnels, I had to disable and renable enable on the UT end, and powercycle the router on the remote end get it back up.

Looking now, after the second drop out, the UT status shows the tunnel active, but there is definitely no traffic passing. The Cisco end also shows the tunnel as established.

I just disabled both ends and re-endabled, and it doesn't want to re-establish. Weird. Going to take more troubleshooting for figure this out.

Or, I just need a really compact PC to put PFSense on.