IKEv2 mtu issue
It seems like mtu is broken on IKEv2. My isp provides connection via PPPoE with MUT of 1460. How do I overcome this broke mtu issue as I am having huge issues in website loading over VPN.
Re: IKEv2 mtu issue
It depends on how exactly it is broken. What typically happens is the following:
The LAN clients have an MTU of 1500 on their Ethernet interfaces; since the uplink has an MTU of 1460, the router drops any packet sent by the LAN client that is larger than that and has the DF flag set, and sends back an ICMP message stating that the 1500-byte packet is too large to fit without fragmentation and what the MTU of the outgoing interface is, so that the LAN client could retry with a smaller packet.
If your IPsec policy says that everything sent from the LAN subnet anywhere (to 0.0.0.0/0) must be sent via the IKEv2 tunnel, this ICMP "fragmentation needed" message gets caught and diverted by that policy too because its source address is router's own address in the LAN subnet. So if this is your case, you have to place a policy with src-address=the.lan.sub.net/mask, dst-address=the.lan.sub.net/mask, and action=none before (above) that src-address=the.lan.sub.net/mask dst-address=0.0.0.0/0 action=encrypt one.
The resulting packet sizes will be even smaller than 1460 bytes as the IPsec headers occupy part of that MTU, but that's how it should work.
If the issue is at the IKEv2 responder end that is not under your control, there is nothing you can do about it at your end except forcing MSS value in TCP SYN packets to a smaller one. But that only works for TCP, and not always - I've seen TCP servers to ignore the MSS setting coming from the client, or maybe devices somewhere on the path rewriting it to a big one.-No idea what exactly it was, but in any case the packets arriving to the bottleneck router from the remote server were way larger than even the usual 1500 bytes although the MSS from client was asking for 1450 byte packets.
The LAN clients have an MTU of 1500 on their Ethernet interfaces; since the uplink has an MTU of 1460, the router drops any packet sent by the LAN client that is larger than that and has the DF flag set, and sends back an ICMP message stating that the 1500-byte packet is too large to fit without fragmentation and what the MTU of the outgoing interface is, so that the LAN client could retry with a smaller packet.
If your IPsec policy says that everything sent from the LAN subnet anywhere (to 0.0.0.0/0) must be sent via the IKEv2 tunnel, this ICMP "fragmentation needed" message gets caught and diverted by that policy too because its source address is router's own address in the LAN subnet. So if this is your case, you have to place a policy with src-address=the.lan.sub.net/mask, dst-address=the.lan.sub.net/mask, and action=none before (above) that src-address=the.lan.sub.net/mask dst-address=0.0.0.0/0 action=encrypt one.
The resulting packet sizes will be even smaller than 1460 bytes as the IPsec headers occupy part of that MTU, but that's how it should work.
If the issue is at the IKEv2 responder end that is not under your control, there is nothing you can do about it at your end except forcing MSS value in TCP SYN packets to a smaller one. But that only works for TCP, and not always - I've seen TCP servers to ignore the MSS setting coming from the client, or maybe devices somewhere on the path rewriting it to a big one.-No idea what exactly it was, but in any case the packets arriving to the bottleneck router from the remote server were way larger than even the usual 1500 bytes although the MSS from client was asking for 1450 byte packets.
Re: IKEv2 mtu issue
@sindy,
can i confirm with you:
src-address=the.lan.sub.net/mask, dst-address=the.lan.sub.net/mask, and action=none
does that mean:
dst-address=local-lan/mask src-address=remote-lan/mask
can i confirm with you:
src-address=the.lan.sub.net/mask, dst-address=the.lan.sub.net/mask, and action=none
does that mean:
dst-address=local-lan/mask src-address=remote-lan/mask
Re: IKEv2 mtu issue
I am also facing another issue. Whenever I am trying to access an webserver on my lan via IP it shows the webserver that has port 80 forwareded to it. This is only for remote users using VPN. Apps work well, google yeilds search results yet 90% websites don't load. I am sharing the config:
Code: Select all
/ip ipsec policy group
add name=ike2
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256
add enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=kalpak passive=yes profile=ike2 \
send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=modp2048
add auth-algorithms=sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-25\
6-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-\
gcm" name=ike2 pfs-group=none
/ip ipsec mode-config
add address-pool=ipsec-roadwarrior address-prefix-length=32 name=ike2 \
split-include=0.0.0.0/0 static-dns=8.8.8.8 system-dns=no
/ppp profile
add change-tcp-mss=yes name=BSNL-PPPoE
add change-tcp-mss=yes name=ABSPL-PPPoE
set *FFFFFFFE dns-server=192.168.72.53
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
established,related disabled=yes hw-offload=yes
add action=accept chain=forward connection-state=established,related \
disabled=yes
add action=drop chain=input connection-state=invalid in-interface=BSNL-PPPoE
add action=accept chain=input comment="ICMP Allow" in-interface=BSNL-PPPoE \
protocol=icmp
add action=accept chain=input comment="IGMP Allow" in-interface=BSNL-PPPoE \
protocol=igmp
add action=accept chain=input comment="IGMP Allow" in-interface=BSNL-PPPoE \
protocol=ipsec-esp
add action=accept chain=input comment="GRE Allow" in-interface=BSNL-PPPoE \
protocol=gre
add action=accept chain=input comment="Allow UDP ports" dst-port=\
500,1701,2000,3389,4500,4789,5198,5199,5201,8472,9993,13231-13235 \
in-interface=BSNL-PPPoE protocol=udp
add action=accept chain=input comment="Allow TCP ports" dst-port=\
22,80,443,1723,2000,2200,3389,6969,8006,8080,8291,8888,9993,32700-39000 \
in-interface=BSNL-PPPoE protocol=tcp
add action=accept chain=input connection-state=established in-interface=\
BSNL-PPPoE
add action=accept chain=input connection-state=related in-interface=\
BSNL-PPPoE
add action=accept chain=input connection-state=untracked in-interface=\
BSNL-PPPoE
add action=drop chain=input in-interface=BSNL-PPPoE
/ip firewall mangle
add action=change-mss chain=forward comment="Fix MSS for VPN server" new-mss=\
1300 passthrough=yes protocol=tcp src-address=192.168.55.0/29 tcp-flags=\
syn tcp-mss=!0-1300
add action=change-mss chain=forward comment="Fix MSS for VPN server" \
dst-address=192.168.55.0/29 new-mss=1300 passthrough=yes protocol=tcp \
tcp-flags=syn tcp-mss=!0-1300
/ip firewall nat
add action=masquerade chain=srcnat out-interface=BSNL-PPPoE
/ip ipsec identity
add generate-policy=port-override mode-config=ike2 my-id=\
fqdn:ec190ff69b86.sn.mynetname.net peer=kalpak policy-template-group=ike2 \
remote-id=ignore
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 group=ike2 proposal=ike2 \
src-address=0.0.0.0/0
add action=none dst-address=0.0.0.0/0 src-address=192.168.23.0/24
add action=none dst-address=0.0.0.0/0 src-address=192.168.24.0/24
add action=none dst-address=0.0.0.0/0 src-address=192.168.72.0/23
add dst-address=192.168.55.0/29 group=ike2 proposal=ike2 src-address=\
0.0.0.0/0 template=yesRe: IKEv2 mtu issue
i think should be other way around, according from
viewtopic.php?t=154449
I asked sindy for cunformation , but im sure that dst- shoud be your lan range
viewtopic.php?t=154449
I asked sindy for cunformation , but im sure that dst- shoud be your lan range
Re: IKEv2 mtu issue
No. The src-address and dst-address must refer to the same LAN subnet in these action=none policies, as their purpose is to prevent packets sent by the router itself to a host in its own LAN subnet from getting handled by the dst-address=0.0.0.0/0 src-address=lan.sub.net/mask action=encrypt policy.can i confirm with you:
does that mean:
dst-address=local-lan/mask src-address=remote-lan/mask
But according to the configuration, this is actually totally unrelated to @mafiosa's use case, as he uses the Mikrotik as an IKEv2 responder, not client, and the action=enrypt policies generated for initiators fom the template say dst-address=192.168.55.x src-address=0.0.0.0/0. So there is no danger of ICMP "fragmentation needed" packets sent by the router itself to be diverted to a wrong path, and no need to prevent this using any action=none policies.
Plus, given that the workaround for broken PMTU discovery, i.e. adjusting MSS in mangle, is in place, a broken PMTUD should not be the reason of the issues encountered (at least not for 90 % of sites).
So @mafiosa, at this point I would sniff the traffic on the router to see how the connection to a particular problematic web site looks like, as the configuration looks fine to me (ok, permitting RDP port 3389 in chain input of /ip firewall filter is a nonsense indicating some misunderdtandings at your side, but that has nothing to do with the issue you suffer from.
Sorry, I don't understand the description of this other issue. I can see no port forwarding rule in the export, and I would expect that seeing a server in the LAN is what you actually want if you have set a port forwarding rule. So please reword the description, state what is the expected behaviour and how the actual one differs from that.I am also facing another issue. Whenever I am trying to access an webserver on my lan via IP it shows the webserver that has port 80 forwareded to it. This is only for remote users using VPN.
Re: IKEv2 mtu issue
Apps work well, google yeilds search results yet 90% websites don't load.
I encountered exactly the same problem. what is the solution. My clients connect via ikev2, the connection goes through without problems, they ping to the router, the address resolves both on the local network and on the Internet, but from the sites only Google search opens and not a single site opens? what needs to be checked?
I encountered exactly the same problem. what is the solution. My clients connect via ikev2, the connection goes through without problems, they ping to the router, the address resolves both on the local network and on the Internet, but from the sites only Google search opens and not a single site opens? what needs to be checked?
Re: IKEv2 mtu issue
Post the export (not screenshots) of your configuration. Something similar as described in post #2 must be happening, but in your case, it would be the remote server (web site) that doesn't receive the information that the usable MTU is lower on the path from your router to your phone. But the Path MTU Discovery (PMTUD) mechanism may be broken also for other reasons than missing or incorrect IPsec policies.what needs to be checked?
Re: IKEv2 mtu issue
firewall everything is allowed for the test. input addresses have been changed; everything else is from the working router, on which the client 10.50.0.12 opens only the Google search engine; all other sites are not accessible.
Code: Select all
# mar/03/2024 16:06:57 by RouterOS 6.49.10
# software id = UH1D-IK15
#
# model = CCR1016-12G
# serial number = D6450EB884C9
/interface bridge
add arp=reply-only name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] name=ether7
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
/interface vlan
add interface=ether1-WAN name=vlan1 vlan-id=1
/interface list
add name=Lan
add name=WAN
add name=discover
/ip ipsec mode-config
add address=10.50.0.12 address-prefix-length=22 name=IKEv2-Server static-dns=\
172.16.0.1 system-dns=no
/ip ipsec policy group
add name=ipsec
add name=IKEv2-Server
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128,3des name=ipsec-profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=\
aes-256,aes-192,aes-128,3des hash-algorithm=sha256 name=IKEv2-Server
/ip ipsec peer
add exchange-mode=ike2 local-address=123.45.67.89 name=IKEv2-Server passive=\
yes profile=IKEv2-Server
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=\
ipsec-proposal pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
lifetime=8h name=IKEv2-Server pfs-group=none
/ip pool
add name=pool4 ranges=172.16.4.1-172.16.4.254
add name=pool3 next-pool=pool4 ranges=172.16.3.1-172.16.3.254
add name=pool2 next-pool=pool3 ranges=172.16.2.1-172.16.2.254
add name=pool1 next-pool=pool2 ranges=172.16.1.1-172.16.1.254
/ppp profile
add change-tcp-mss=yes name=l2tp-remote-client-to-site only-one=no \
use-compression=yes use-encryption=yes
/snmp community
set [ find default=yes ] disabled=yes
add addresses=0.0.0.0/0 name=snmp_public
/system logging action
set 1 disk-file-count=10
set 3 bsd-syslog=yes remote=172.16.1.135 syslog-facility=syslog
add name=ipsec target=memory
add name=l2tp target=memory
/interface bridge port
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 interface=vlan1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-remote-client-to-site \
enabled=yes one-session-per-host=yes use-ipsec=required
/interface pptp-server server
set authentication=mschap2 default-profile=pptp
/ip address
add address=172.16.0.1/22 interface=bridge1 network=172.16.0.0
add address=123.45.67.89/29 interface=\
ether1-WAN network=123.45.67.89
/ip dhcp-server network
add address=172.16.0.0/22 dns-server=172.16.0.1 gateway=172.16.0.1 \
ntp-server=172.16.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=10240KiB servers=\
8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=forward
add action=accept chain=output
add action=accept chain=input
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1360 \
passthrough=yes protocol=tcp src-address=10.50.0.12 tcp-flags=syn \
tcp-mss=!0-1360
add action=change-mss chain=forward dst-address=10.50.0.12 ipsec-policy=\
out,ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn \
tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.50.0.12
add action=masquerade chain=srcnat src-address=172.16.0.0/22 out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.ike2 generate-policy=\
port-strict match-by=certificate mode-config=IKEv2-Server peer=\
IKEv2-Server policy-template-group=IKEv2-Server remote-certificate=\
ra@vpn.ike2 remote-id=user-fqdn:ra@vpn.ike2
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ipsec proposal=ipsec-proposal src-address=\
0.0.0.0/0 template=yes
add dst-address=10.50.0.0/24 group=IKEv2-Server proposal=IKEv2-Server \
src-address=0.0.0.0/0 template=yes
/ip route
add check-gateway=ping distance=1 gateway=11.12.34.56
/ip route rule
add action=lookup-only-in-table src-address=123.45.67.89/32 table=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=28291
set api-ssl disabled=yes
/snmp
set enabled=yes trap-community=snmp_public trap-interfaces=\
ether7 trap-version=2
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+01:00 dst-end="oct/28/2019 00:00:00" dst-start=\
"mar/31/2019 00:00:00" time-zone=+02:00
/system identity
set name=mtk-ccr1016
/system leds
add leds=fault-led type=fan-fault
add leds=user-led type=flash-access
/system package update
set channel=long-term
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Lan
/tool mac-server ping
set enabled=no
Last edited by anis on Mon Mar 04, 2024 12:58 pm, edited 1 time in total.
Re: IKEv2 mtu issue
First, you may want to edit also the gateway IP from the export.
Next, I can see you've got the two action=change-mss rules in forward mangle, do I get it right that they don't help?
I'd like to see the output of /ip ipsec policy print detail (with public addresses redacted of course); if that gives no hint, advanced sniffing will be the last resort.
I have seen situations where the change-mss rules didn't help because some idiot at the ISP was using change-mss too but ignoring the pre-existing MSS value so happily setting a higher one. Proving that case would involve setting up a TCP session to another device somewhere else in the internet, on which you could sniff as well, to see the value in the MSS field of your SYN upon reaching that device after passing through the internet and your ISP in particular.
Next, I can see you've got the two action=change-mss rules in forward mangle, do I get it right that they don't help?
I'd like to see the output of /ip ipsec policy print detail (with public addresses redacted of course); if that gives no hint, advanced sniffing will be the last resort.
I have seen situations where the change-mss rules didn't help because some idiot at the ISP was using change-mss too but ignoring the pre-existing MSS value so happily setting a higher one. Proving that case would involve setting up a TCP session to another device somewhere else in the internet, on which you could sniff as well, to see the value in the MSS field of your SYN upon reaching that device after passing through the internet and your ISP in particular.
Re: IKEv2 mtu issue
action=change-mss tried changing different values, without results. I’m also inclined to believe that the problem is with the provider, and if so, is it possible to get through this without changing the provider? What needs to be done to identify and track this?
Code: Select all
[mtk@mtk-ccr1016] > /ip ipsec
[mtk@mtk-ccr1016] /ip ipsec> export
# mar/04/2024 13:04:15 by RouterOS 6.49.10
# software id =
#
# model = CCR1016-12G
# serial number =
/ip ipsec mode-config
add address=10.50.0.12 address-prefix-length=22 name=IKEv2-Server static-dns=\
172.16.0.1 system-dns=no
/ip ipsec policy group
add name=ipsec
add name=IKEv2-Server
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128,3des name=ipsec-profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=\
aes-256,aes-192,aes-128,3des hash-algorithm=sha256 name=IKEv2-Server
add name=copy
/ip ipsec peer
add exchange-mode=ike2 local-address=ip wan name=IKEv2-Server passive=\
yes profile=IKEv2-Server
add disabled=yes exchange-mode=ike2 name=copy passive=yes profile=IKEv2-Server
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=ipsec-proposal \
pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr,a\
es-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
lifetime=8h name=IKEv2-Server pfs-group=none
add name=copy
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.ike2 generate-policy=\
port-strict match-by=certificate mode-config=IKEv2-Server peer=IKEv2-Server \
policy-template-group=IKEv2-Server remote-certificate=ra@vpn.ike2 \
remote-id=user-fqdn:ra@vpn.ike2
add auth-method=digital-signature certificate=name comment=copy \
disabled=yes generate-policy=port-strict match-by=certificate mode-config=\
IKEv2-Server peer=IKEv2-Server policy-template-group=IKEv2-Server \
remote-certificate=ra@name remote-id=user-fqdn:ra@name
add disabled=yes generate-policy=port-strict mode-config=IKEv2-Server peer=\
IKEv2-Server policy-template-group=IKEv2-Server secret=\
"vJ\$beWkTJ7q@9S~`>]q)YrLH"
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ipsec proposal=ipsec-proposal src-address=\
0.0.0.0/0 template=yes
add dst-address=10.50.0.0/24 group=IKEv2-Server proposal=IKEv2-Server \
src-address=0.0.0.0/0 template=yes
add comment=copy disabled=yes dst-address=0.0.0.0/0 group=IKEv2-Server \
proposal=IKEv2-Server src-address=0.0.0.0/0 template=yes
[mtk@mtk-ccr1016] /ip ipsec>
Last edited by anis on Mon Mar 04, 2024 1:13 pm, edited 1 time in total.
Re: IKEv2 mtu issue
To identify that, I would sniff the TCP SYN+ACK packets arriving via WAN and see what MSS they carry. If it is smaller than 1460, it suggests something between your WAN and the sender is tampering with it. But to be really sure, you need a device on a public address somewhere in the internet (like your friend's one on a public address provided by some other ISP than yours) and sniffing simultaneously on it and your WAN when trying to open its address for web or telnet (it doesn't matter whether the service is actually listening there, we are interested in just the SYN packet contents, it need not be responded).
As for "without changing the provider", I'm afraid you'd have to use a virtual machine somewhere in a data center and create a tunnel to it in order to bypass the mishandling of MSS by the ISP. But talking nicely to the ISP might be an easier way?
As for "without changing the provider", I'm afraid you'd have to use a virtual machine somewhere in a data center and create a tunnel to it in order to bypass the mishandling of MSS by the ISP. But talking nicely to the ISP might be an easier way?
Re: IKEv2 mtu issue
I posted the entire ipsec, only the wan ip was replaced and the email was in the certificates, the rest is as is and the rules are inactive
Re: IKEv2 mtu issue
https://ibb.co/WkL4RjBTo identify that, I would sniff the TCP SYN+ACK packets arriving via WAN and see what MSS they carry. If it is smaller than 1460, it suggests something between your WAN and the sender is tampering with it. But to be really sure, you need a device on a public address somewhere in the internet (like your friend's one on a public address provided by some other ISP than yours) and sniffing simultaneously on it and your WAN when trying to open its address for web or telnet (it doesn't matter whether the service is actually listening there, we are interested in just the SYN packet contents, it need not be responded).
As for "without changing the provider", I'm afraid you'd have to use a virtual machine somewhere in a data center and create a tunnel to it in order to bypass the mishandling of MSS by the ISP. But talking nicely to the ISP might be an easier way?
Last edited by anis on Mon Mar 04, 2024 1:43 pm, edited 1 time in total.
Re: IKEv2 mtu issue
Export shows the configured items; the actual policies are generated dynamically from the templates. And your templates are quite wide. That's why I want the output of the print rather than the export for the policies.
Re: IKEv2 mtu issue
OkExport shows the configured items; the actual policies are generated dynamically from the templates. And your templates are quite wide. That's why I want the output of the print rather than the export for the policies.
this is with active client 10.50.0.12 ikev2
https://ibb.co/Sf1qkt8
Re: IKEv2 mtu issue
I have asked for /ip ipsec policy print detail. But what bothers me here is that the dynamically generated policy for the phone is marked as I (Invalid), which makes little sense to me given that there is only a single actual policy - the rest are templates.
Re: IKEv2 mtu issue
sorryI have asked for /ip ipsec policy print detail. But what bothers me here is that the dynamically generated policy for the phone is marked as I (Invalid), which makes little sense to me given that there is only a single actual policy - the rest are templates.
https://ibb.co/L8GhWPz
Re: IKEv2 mtu issue
But talking nicely to the ISP might be an easier way?
ISP said that nothing is being done about traffic
Last edited by anis on Mon Mar 04, 2024 4:45 pm, edited 1 time in total.
Re: IKEv2 mtu issue
@anis You and sindy are the only ones active here so please, don't qoute so much.
Re: IKEv2 mtu issue
The policy looks fairly normal (the dst-address is a /32 one), and this time it is not invalid. So there is no way how the policy could cause it.
So time for sniffing I'd say, ideally at both ends of the TCP connection - "we don't do anything special" is the standard Layer 1 support response that sticks until you prove them wrong
. Have you got another device on a public address you could sniff at?
So time for sniffing I'd say, ideally at both ends of the TCP connection - "we don't do anything special" is the standard Layer 1 support response that sticks until you prove them wrong
. Have you got another device on a public address you could sniff at?Re: IKEv2 mtu issue
Sniff to file on both, matching on the public ip address of the other one at each (so if the public IP address of your local one is l.l.l.l, set ip-address=l.l.l.l in the sniffer filter. What we are interested in are not just the TCP packets but also ICMP ones, so we cannot filter on anything more detailed. But you can prevent sniffing the remote access connection if you connect to the remote one from your local machine by excluding the port from the sniff, like port=!22 if you connect using SSH.
Then try to connect to the remote address from your browser - even if there is no HTTP or HTTPS server running on the remote machine so the browser will throw an error after some time, the SYN packets will nevertheless arrive there and get sniffed. Of course, connecting to a service that does run there would be better as you would be able to sniff also the SYN+ACK response.
Once the browser gives up or the connection succeeds depending on what you actually try, stop the sniffing, open both files in Wireshark and see what the MSS value in the SYN (and, eventually, SYN+ACK) packets is.
Then try to connect to the remote address from your browser - even if there is no HTTP or HTTPS server running on the remote machine so the browser will throw an error after some time, the SYN packets will nevertheless arrive there and get sniffed. Of course, connecting to a service that does run there would be better as you would be able to sniff also the SYN+ACK response.
Once the browser gives up or the connection succeeds depending on what you actually try, stop the sniffing, open both files in Wireshark and see what the MSS value in the SYN (and, eventually, SYN+ACK) packets is.
Re: IKEv2 mtu issue
if I did everything correctly, but the packages are unchanged (tried without tunnel, since on a machine with a public IP it is not possible to install a tunnel)
MSS 1460
something's wrong here (I connected 2 isp to Mikrotik and connect to both with no result)
I already changed the ISP but the result is the same
the connection is working but the sites do not open
MSS 1460
something's wrong here (I connected 2 isp to Mikrotik and connect to both with no result)
I already changed the ISP but the result is the same
the connection is working but the sites do not open
Re: IKEv2 mtu issue
Well, the idea was to see whether the ISP does not set the MSS back to high value if you lower it using your mangle rules. From our description I am not sure whether we understood each other - my idea was that you don't change a single thing on your local machine and try to connect from a browser on the phone connected to it via IKEv2 to a TCP port on the public address of the other machine. Have you done that or something else?
Re: IKEv2 mtu issue
I don’t quite understand you correctly.
I have a Mikrotik with two ISPs, public white addresses, I can connect to it via IKEv2 from a phone or PC with a gray address.
what else should I do step by step to check the problem, but it is unlikely that there are 2 independent providers and the result is this, maybe my settings are incorrect or everything is ok with the settings
I have a Mikrotik with two ISPs, public white addresses, I can connect to it via IKEv2 from a phone or PC with a gray address.
what else should I do step by step to check the problem, but it is unlikely that there are 2 independent providers and the result is this, maybe my settings are incorrect or everything is ok with the settings
Re: IKEv2 mtu issue
If it behaves the same when the tunnel is established via another ISP, I agree with you that it does not look like an ISP issue. Hence it needs to sniff a single connection to a web site that fails and see what exactly is going on there. So find a web site that does not work, find out its IP address, and sniff traffic to&from this address on ether1 into a file. Then try opening that site and open the file in Wireshark once the attempt fails. You should see whether the server repeatedly retransmits some large packet, which would indicate that neither the PMTUD nor the change-mss rules worked, so that large packet makes it to your router but not further via the tunnel, or whether something else is wrong there.
You may also consider following this link.
You may also consider following this link.
Re: IKEv2 mtu issue
Wireshark I'm running it on a PC that connects to Mikrotik via IKEv2, right?
Is it possible to analyze all this on a PC or not?
Is it possible to analyze all this on a PC or not?
Here it’s not at all clear what needs to be done and why?You may also consider following this link.
Re: IKEv2 mtu issue
No. Sniff into a file on the Mikrotik itself as you supposedly did before, connect to the unreachable site from a phone connected via IKEv2, then stop sniffing, download the file to a PC and open it using Wireshark.Wireshark I'm running it on a PC that connects to Mikrotik via IKEv2, right?
That's just an offer for a direct contact if you feel that a more interactive communication (in your native language) could help.Here it’s not at all clear what needs to be done and why?
Re: IKEv2 mtu issue
[/quote]
direct contact.
[/quote]
ок telegram
direct contact.
[/quote]
ок telegram
Re: IKEv2 mtu issue
I want to say right away that I don’t really understand the reason for what’s happening, but something tells me that the settings are wrong somewhere and the provider has nothing to do with it.
for
I made a L2TP/Ipsec VPN on the same Mikrotik and everything was connected from the clients and all sites opened
I try to ping -f -l 1373 and higher, it already requires fragmentation and does not work without VPN until -f -l 1472 successfully, even on L2TP/Ipsec VPN, even on ikev2
but with L2TP/Ipsec everything works, with ikev2 it doesn’t
for
I made a L2TP/Ipsec VPN on the same Mikrotik and everything was connected from the clients and all sites opened
I try to ping -f -l 1373 and higher, it already requires fragmentation and does not work without VPN until -f -l 1472 successfully, even on L2TP/Ipsec VPN, even on ikev2
but with L2TP/Ipsec everything works, with ikev2 it doesn’t
Re: IKEv2 mtu issue
when opening sites (that are not accessible)Then try opening that site and open the file in Wireshark
https://ibb.co/8DzCs80
Re: IKEv2 mtu issue
ok
That's just an offer for a direct contact if you feel that a more interactive communication (in your native language) could help.
Re: IKEv2 mtu issue
Sorry for my lack of responsiveness, yesterday and today are quite busy. The TCP SYN packets in your last screenshots only show that the server did not respond at all, so that's definitely not MTU related. But there are no addresses so I can't see whether the NAT did not happen or something else went wrong.
So was the source address of those SYN packets the public WAN IP of the router or some other one?
So was the source address of those SYN packets the public WAN IP of the router or some other one?
Re: IKEv2 mtu issue
https://ibb.co/Fn5MptS
10.50.0.12 IP client ikev2
destination IP site (don't open)
but why are there no packets from IP site to destination client 10.0.50.12
this is what it looks like if I connect via L2TP/Ipsec
https://ibb.co/wQVrq0W
10.50.0.12 IP client ikev2
destination IP site (don't open)
but why are there no packets from IP site to destination client 10.0.50.12
this is what it looks like if I connect via L2TP/Ipsec
https://ibb.co/wQVrq0W
Re: IKEv2 mtu issue
Can you show me the sniffer settings? Because it is normal that the source address is the private one on the way from the phone to the router, but on the way from the router to the external server, the source address should be the WAN one of the router. In your sniffs, there is only one copy of each packet, so I suppose you have narrowed the sniffer filter down to a particular interface.
As for Telegram - the post above explains how to encrypt your phone number using my public key and post it here encrypted so that nobody else than me could decrypt it.
As for Telegram - the post above explains how to encrypt your phone number using my public key and post it here encrypted so that nobody else than me could decrypt it.
Re: IKEv2 mtu issue
packet sniffer
https://ibb.co/QkS6RPP
WAN address blurred out
client address and website address is open
https://ibb.co/QkS6RPP
WAN address blurred out
client address and website address is open
Re: IKEv2 mtu issue
To provide a conclusion to the story: the root cause of the issue was a dst-nat rule matching on in-interface-list=WANxy but not taking into account whether the packet coming in through WAN was indeed a "direct" one coming to the public IP address of the WAN or an IPsec payload one extracted from a transport packet (the latter inherits the in-interface attribute from the transport one). So connections to regular web sites (HTTPS over TCP port 443) that came in via an IPsec SA got redirected to an internal address, and the most likely reason why Google sites worked was that the browser uses QUIC (on UDP port 443) instead of TCP to connect to them so the rule didn't affect these connections.Apps work well, google yeilds search results yet 90% websites don't load.
Re: IKEv2 mtu issue
@sindy. Thank you very much for your fast and, most importantly, quality help.
There was an expected serious error in the NAT configuration
To which Sindy pointed out, I followed the wrong path of the mangle chain
There was an expected serious error in the NAT configuration
To which Sindy pointed out, I followed the wrong path of the mangle chain