Looking for advice on what settings to tweak/test and/or what to do to diagnose this problem further as I am not a network expert and there are hundreds of settings on the routers etc.
I have DrayTek Lan-to-Lan VPN IPsec Tunnel setup between 2 sites mainly to manage security on the remote site (CCTV / Alarm / Gate etc).
It all mostly works fine. From the local site (192.168.1.X) I can see all devices on the remote site (172.19.0.X), I can connect to device web interfaces, I can stream camera feeds, control devices etc.
However, one thing that does not work is remote firmware upgrades of devices. For example a camera firmware upgrade which involves a 75MB upload always just fails.
If I open up a port on the router I can remotely update a camera over the internet using the same firmware file so I know that side is all o.k. It just won't work over the IPsec Tunnel and I would like to fix that.
I have since confirmed this is a general "upload" problem by testing large ftp uploads from the same Local Site to Remote Site - they fail (stall) over the VPN.
LOCAL SITE:
WAN: Fibre Internet
DrayTek Vigor2926
DrayTek Lan to Lan accepts Dial-In:
IPsec Tunnel (IKEv1/IKEv2)
Pre-Shared Key / Medium (AH) AES
REMOTE SITE:
WAN: 3G/4G LTE Modem
DrayTek Vigor2865
DrayTek Lan to Lan Dial-Out:
IPsec Tunnel IKEv2
Pre-Shared Key / Poposal Encryption Auto
IKE Phase 2 Settings: ESP (High) AES256
Proposal Authentication: All
EDIT 1 - MTU settings on the routers:
The Local Site WAN under Internet Access -> Static or Dynamic IP
is set to 1500
. The Remote Site WAN under Internet Access -> 3G/4G/5G Modem(DHCP mode)
is set to 1500
(the default according to the text there).
EDIT 2 - MTU value from ping test:
I found a ping test script here which I used to find max MTU size as follows:
- From Local Site to Remote Site over VPN:
1500
- From Local Site to Remote Site over WAN:
1500
- From my home to Local Site over WAN:
1492
- From my home to Remote Site over WAN:
1492
EDIT 3 - This DOES seem to be an MTU issue but I still don't understand fully:
The network adaptor on the Local Site has MTU set to 1500
if I temporarily change this to a lower value for example:
sudo ifconfig enp6s0 mtu 1360
Then a test ftp upload works over the VPN. But I would consider this a hacky workaround not a solution.
I looked more closely at router settings and I found under VPN and Remote Access -> IPsec General Setup
there is a setting VPN TCP maximum segment size (MSS)
for IPsec (IKEv1/IKEv2)
which can be between 512 and 1381
and defaults to 1360
. I thought maybe this was the answer, and changing the setting to a very low value (512
) does affect the ping test (it returns a max MTU value of 1044
) but this still has no affect on getting uploads to work over the VPN.
I don't understand why the ping test says the max MTU is 1500 but I have to change the network adaptor MTU setting to get uploads to work and seemingly no changes to settings on the DrayTek router allow uploads to work over it's own IPSec VPN.
I finally found a solution to this which was to lower the
VPN TCP maximum segment size (MSS)
to1200
on BOTH the Local Site and the Remote Site routers.On the newer
Vigor2865
at the Remote Site the setting is in the web interface:VPN and Remote Access -> IPsec General Setup
and then theIPsec
value.However, on the older
Vigor2926
at the Local Site there is no such setting in the web interface (at least not on it's current firmware). However, the setting still exists and can be shown and changed via the Web Console:vpn mss show
And then in my case the 3rd value is
IPsec
so:vpn mss set 3 1200
I just chose
1200
as a lower value than the default1360
but I still don't really understand why it needs to be that low. I understand that the VPN adds overhead but 1360 is already 140 lower than the supposed MTU of 1500...Anyway, 1200 on both sides seems to fix my upload issue.