Discussion:
[pfSense] IPSEC VPN and Outlook MSS/MTU settings
Nathan C. Smith
2012-02-13 20:09:29 UTC
Permalink
We have a situation with a 1.2.3 embedded system on the remote end of an IPSEC VPN with a 2.0.1 system. I think the remote end is on a cable modem. The user on the remote end says their Microsoft Outlook sessions are dying after a while. When I the remote end ping using "don't fragment" setting I can get up to a 1415 byte packet size before packets no longer transit the VPN.

In the past this Outlook issue usually comes back to MSS. On 1.2.3 I could only set the "MTU" for this issue and it had to be done on the WAN interfaces. Now all interfaces seem to have an MTU and an MSS setting. To set MSS to correct this issue I have the "MTU" set to 1400 on the remote WAN interface (pfSense 1.2.3). Which interface should I set on the local side, WAN or LAN? Should I use the exact same value?

Thank you.

-Nate
Jim Pingle
2012-02-13 20:58:22 UTC
Permalink
Post by Nathan C. Smith
We have a situation with a 1.2.3 embedded system on the remote end of an IPSEC VPN with a 2.0.1 system. I think the remote end is on a cable modem. The user on the remote end says their Microsoft Outlook sessions are dying after a while. When I the remote end ping using "don't fragment" setting I can get up to a 1415 byte packet size before packets no longer transit the VPN.
In the past this Outlook issue usually comes back to MSS. On 1.2.3 I could only set the "MTU" for this issue and it had to be done on the WAN interfaces. Now all interfaces seem to have an MTU and an MSS setting. To set MSS to correct this issue I have the "MTU" set to 1400 on the remote WAN interface (pfSense 1.2.3). Which interface should I set on the local side, WAN or LAN? Should I use the exact same value?
None of the above :-)

System > Advanced, Misc tab. Check the box "Enable MSS clamping on VPN
traffic" and then enter whatever value you like.

Jim
Nathan C. Smith
2012-02-14 20:10:00 UTC
Permalink
Fantastic! I'm just glad the setting is available.

Thanks Jim.

-Nate

-----Original Message-----
From: list-***@lists.pfsense.org [mailto:list-***@lists.pfsense.org] On Behalf Of Jim Pingle
Sent: Monday, February 13, 2012 2:58 PM
To: pfSense support and discussion
Subject: Re: [pfSense] IPSEC VPN and Outlook MSS/MTU settings
Post by Nathan C. Smith
We have a situation with a 1.2.3 embedded system on the remote end of an IPSEC VPN with a 2.0.1 system. I think the remote end is on a cable modem. The user on the remote end says their Microsoft Outlook sessions are dying after a while. When I the remote end ping using "don't fragment" setting I can get up to a 1415 byte packet size before packets no longer transit the VPN.
In the past this Outlook issue usually comes back to MSS. On 1.2.3 I could only set the "MTU" for this issue and it had to be done on the WAN interfaces. Now all interfaces seem to have an MTU and an MSS setting. To set MSS to correct this issue I have the "MTU" set to 1400 on the remote WAN interface (pfSense 1.2.3). Which interface should I set on the local side, WAN or LAN? Should I use the exact same value?
None of the above :-)

System > Advanced, Misc tab. Check the box "Enable MSS clamping on VPN traffic" and then enter whatever value you like.

Jim

Loading...