Re: [pfSense] ipsec and multi-wan

2015-03-23 Thread Chris Buechler 
On Thu, Mar 19, 2015 at 12:48 PM, Gregory K Shenaut
gkshen...@ucdavis.edu wrote:
 Hi, I have a system with two sites. One of the sites has two WAN connections, 
 the other one. I have an IPSEC tunnel passing all traffic between the two 
 sites. I'm having some difficulty with site-to-site access. I can ping 
 anything in either site from either site, but can't do much of anything else. 
 For example, I can't open web pages across the tunnel: sometime I get 
 nothing, sometimes a hundred or so characters then nothing else. When I try 
 to transfer lots of data across the tunnel, typically I get some initial 
 data, again a hundred or so characters, then it hangs, and, frequently, the 
 tunnel itself goes down and I have to wait for it to re-establish itself.


Almost certainly needing MSS clamping. Advanced settings tab, check
that box there. Then start new connections (may want to kill states
just to make really sure), and things will probably work.


 I've tried all sorts of things, and I believe that there may be a problem in 
 routing due to the dual-WAN setup on one of the sites. I'm not entirely 
 certain, but it's possible the problem began when I set up dual-WAN.

 I'm on pfsense 2.2.1.

 There is a sentence in the documentation at 
 https://doc.pfsense.org/index.php/VPN_Capability_IPsec under Prerequisites:

 If pfSense is not the default gateway on the LAN where it is installed, 
 static routes must be added to the default gateway, pointing the remote VPN 
 subnet to the IP address on pfSense in the LAN subnet.


Is that actually the case? VPN is on a separate box from the default
gateway on the LAN?


 I've tried adding various static routes based on my understanding of that 
 sentence, but they haven't helped, which is why I'm asking this question.

 First, preliminary question: when you make a change to the System  Static 
 Routes web page and apply it, it seems like sometimes older
 routes aren't deleted. Is it necessary to reboot every time you change the 
 static routes to make sure that you get rid of ones you deleted or
 deactivated?

Never necessary to reboot. Where are you seeing they're still there?
Routes being there after you deleted the static route is generally
indicative of something else adding them back, like a dynamic routing
protocol, or them being in an OpenVPN client or server, or similar.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ipsec and multi-wan

2015-03-23 Thread Gregory K Shenaut 

 On Mar 23, 2015, at 17:31 , Chris Buechler c...@pfsense.org wrote:
 
 On Thu, Mar 19, 2015 at 12:48 PM, Gregory K Shenaut
 gkshen...@ucdavis.edu wrote:
 Hi, I have a system with two sites. One of the sites has two WAN 
 connections, the other one. I have an IPSEC tunnel passing all traffic 
 between the two sites. I'm having some difficulty with site-to-site access. 
 I can ping anything in either site from either site, but can't do much of 
 anything else. For example, I can't open web pages across the tunnel: 
 sometime I get nothing, sometimes a hundred or so characters then nothing 
 else. When I try to transfer lots of data across the tunnel, typically I get 
 some initial data, again a hundred or so characters, then it hangs, and, 
 frequently, the tunnel itself goes down and I have to wait for it to 
 re-establish itself.
 
 
 Almost certainly needing MSS clamping. Advanced settings tab, check
 that box there. Then start new connections (may want to kill states
 just to make really sure), and things will probably work.

This worked like a champ! I didn't know that option existed. Thank you.

Greg

 've tried all sorts of things, and I believe that there may be a problem in 
 routing due to the dual-WAN setup on one of the sites. I'm not entirely 
 certain, but it's possible the problem began when I set up dual-WAN.
 
 I'm on pfsense 2.2.1.
 
 There is a sentence in the documentation at 
 https://doc.pfsense.org/index.php/VPN_Capability_IPsec under Prerequisites:
 
 If pfSense is not the default gateway on the LAN where it is installed, 
 static routes must be added to the default gateway, pointing the remote VPN 
 subnet to the IP address on pfSense in the LAN subnet.
 
 
 Is that actually the case? VPN is on a separate box from the default
 gateway on the LAN?

 
 I've tried adding various static routes based on my understanding of that 
 sentence, but they haven't helped, which is why I'm asking this question.
 
 First, preliminary question: when you make a change to the System  Static 
 Routes web page and apply it, it seems like sometimes older
 routes aren't deleted. Is it necessary to reboot every time you change the 
 static routes to make sure that you get rid of ones you deleted or
 deactivated?
 
 Never necessary to reboot. Where are you seeing they're still there?
 Routes being there after you deleted the static route is generally
 indicative of something else adding them back, like a dynamic routing
 protocol, or them being in an OpenVPN client or server, or similar.

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold