Urgent help needed...client install with problems with MTU and ipsec

[d1rewolf]

Guys,

I currently on the last hours of a client install. I have two Untangles (u25 and u150) with an ipsec tunnel between them.

Things seemed to be working fine... I can ping/ssh from either side. However, if I do anything which outputs more than a bit of data (for example, "cat /etc/passwd", the ssh session freezes.

I found evidence that a MTU setting could be responsible. On the remote server I was doing that cat on, it was set to 1500. On my local laptop I was ssh'ing from, it was also set to 1500.

Dropping it to 1280 MTU on my laptop fixed the issue, but JUST for my laptop. All other hosts on the local network are not communicating because of this.

How can I fix the issue for everyone?

I'm running out of time...

Thanks in advance.

[d1rewolf]

I tried changing the mtu on eth0 (the external interface) but it does no good. I then tried changing it on both eth0 and eth1 (external and internal) and no dice.

I'm betting it has to be set on the ipsec interface. Is this possible?

[jcoffin]

Unless there is an issue with the switch between your device and the local Untangle, only the external ethernet needs the MTU changed. I would check if there is an MTU issue on the far end Untangle also.

[d1rewolf]

How would I determine if there was a problem on the remote end?

I've dropped the MTU on both Untangle for the External interface, but still no dice.

Thanks

[d1rewolf]

I fell back to OpenVPN and it seems to be working ok.

Any idea why it would work with OpenVPN but not Ipsec? Is it acceptable to run OpenVPN instead of ipsec for a large-ish install? What are the benefits/drawbacks?

Thanks!

[d1rewolf]

We finally got it working with the help of Untangle support. I'm not certain I'm clear on why reducing the MTU on my laptop allowed it to work but changing the MTU on the Untangle NICs didn't. Regardless, what ultimately fixed it, in case any of you experience this, was ensuring "Bypass all IPsec traffic" was checked in the IPsec options on both ends. I had it checked on one, but mistakenly missed the other side. HTH.