VPN

Hi.

We have used a m0n0wall as my main firewall for some time now, and we have a VPN site 2 site connection. This tunnel is runing a citrix connection in it. The firmware on the m0n0 is at the moment 1.11 and everything works fine, but the wall needs a rebooting sometimes. Then I tried to upgrade the wall from 1.11 to 1.22. The upgrade went fine and no trouble going on the internet and the S2S vpn came up ok. The trouble starts when we try to connect to the citrix in the other end, we just get a blue desktop with a mousepointer.

We have also tried with a M$ ISA 2006 firewall just to check if that did solve the problem. It didn't. I have checked the Phase I and II, and there is no difference in the setup. We connect against a cisco VPN consentrator. I can run ping against the Citrix servere in the other end and I can also telnet to port 1494 (ICA) and get a response, so the tunnel is alive and kicking, but something must have changed from 1.11 to 1.22.

Anyone? I'm now back on 1.11 and would like to be on the latest one.

I found the answer... it's the MTU. And the MTU size on the WAN interface does not work on a IPSec Site to Site VPN. Guess this is a bug in M0n0wall. Works on fw1.11, not on 1.22 and 1.231

Yes, that definitely sounds like a MTU issue. MSS clamping doesn't affect IPsec traffic properly, and PMTUD doesn't work right with IPsec. Known limitations. I'm surprised this works on 1.1x though.

Some have reported if you allow fragments on your default LAN rule things work.