Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
Overview
This Recommended Read was created to highlight a new KB that can help solve IPsec issues without disabling IPsec acceleration.
Symptom
- TCP connections may fail or timeout.
- Endpoints experience connectivity problems to certain servers on the internet for IPsec remote access connections.
Cause
The problem with the ICMP-dependent approach for PMTUD described is that it does not work if there are any network elements in the path that don’t generate the "ICMP Fragmentation Needed" message as needed or blocks such a message generated by another network element, due to whatever reason, including security.
With SFOS 19.0, for IPsec remote access connections, this general PMTUD issue has been exacerbated further with the introduction of the IPsec acceleration feature, as the MTU on the virtual ipsec0 tunnel interface is reduced to the minimum MTU of the WAN interfaces configured on the appliance, due to another limitation related to the interaction between the DPIE on the host and the FastPath on the NPU.
Resolution
The following are the available workarounds:
Configure MSS clamping
Configure MSS clamping for all TCP connections going through IPsec tunnels using iptables rules. The MSS value that needs to be configured on the ipsec0 tunnel interface is computed using the following formula:
mss = min(MTU of all WAN interfaces) - (ipsec overhead + ip_overhead + TCP overhead)
Assuming AES-256 with SHA1:
- ipsec overhead = 73 bytes
- ip_overhead = 20 for ipv4
- tcp overhead = 60 bytes
Assuming the minimum WAN MTU on the appliance to be 1500, the MSS value needs to be configured to 1347:
mss = 1500 - (73 + 20 + 60)
And similarly, with ip_overhead for ipv6 being 40 bytes, the MSS value would be 1327:
mss = 1500 - (73 + 40 + 60)
MSS can be configured using the iptables or ip6tables commands via Advanced Shell and using the following rules:
iptables -t mangle -A POSTROUTING -o ipsec0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1347ip6tables -t mangle -A POSTROUTING -o ipsec0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1327
Note that the iptables configuration above is not persistent across restarts, so one would have to add those commands every time the firewall is restarted for whatever reason. With 19.5 MR1, this configuration is added automatically during initialization.
Turn off IPsec Acceleration
Follow the steps described on the IPsec acceleration documentation page to turn off IPsec acceleration. This isn’t the desired option as it prevents the user from taking advantage of the processing power of NPU, which can offload traffic processing.
Configure a small value for MTU
This is the least feasible option for the administered endpoints in the network. Configure MTU to a reasonably small value that will avoid the need for fragmentation in the network.
KB
https://support.sophos.com/support/s/article/KB-000044840?language=en_US
Note: For any updates about this Recommended Read, always check the KB
Revamped RR Added Overview & Horizontal Lines Corrected Grammar
[edited by: Erick Jan at 4:10 AM (GMT -7) on 5 Oct 2023]
