Discussion:
Is there any reason I can't Remote desktop through an ipsec tunnel?
Marty Nelson
16 years ago
Permalink
I have an IPSec tunnel connecting my network to one of our customer sites, and while I can ping a computer on their network I am unable to remote desktop to. Currently all of our customer tunnels are setup to terminate in our DMZ to limit access back into our network. I have a second firewall (monowall) in our DMZ that then routes all traffic out through the tunnel. I've drawn a rudimentary layout of how it's setup (see below).

I have the IPsec rules to pass all traffic, and currently I have it setup to log all traffic as well. What's strange is that when I attempt to remote desktop to it, I see no traffic relating to that at all. Nothing passing, nothing getting blocked. Like I said, I can ping the box just fine (and it shows up in the log), but I am unable to remote desktop to it and I don't see anything getting blocked, or passed.

Hopefully this made sense. If it's unclear, please let me know and I'll try my best to clear it up.

LAN (192.168)---[pfSenseFW]---DMZ (10.100)---[monowall]---[ipsec tunnel to cust site]---Cust site

Thanks,

-Marty
Marty Nelson
16 years ago
Permalink
I'm so sorry for the read receipts!

Thanks,

-Marty

From: Marty Nelson
Sent: Thursday, March 26, 2009 3:30 PM
To: support-***@public.gmane.org
Subject: Is there any reason I can't Remote desktop through an ipsec tunnel?

I have an IPSec tunnel connecting my network to one of our customer sites, and while I can ping a computer on their network I am unable to remote desktop to. Currently all of our customer tunnels are setup to terminate in our DMZ to limit access back into our network. I have a second firewall (monowall) in our DMZ that then routes all traffic out through the tunnel. I've drawn a rudimentary layout of how it's setup (see below).

I have the IPsec rules to pass all traffic, and currently I have it setup to log all traffic as well. What's strange is that when I attempt to remote desktop to it, I see no traffic relating to that at all. Nothing passing, nothing getting blocked. Like I said, I can ping the box just fine (and it shows up in the log), but I am unable to remote desktop to it and I don't see anything getting blocked, or passed.

Hopefully this made sense. If it's unclear, please let me know and I'll try my best to clear it up.

LAN (192.168)---[pfSenseFW]---DMZ (10.100)---[monowall]---[ipsec tunnel to cust site]---Cust site

Thanks,

-Marty
Fuchs, Martin
16 years ago
Permalink
Perhaps some kind of MTU issue ?
RDP often has MTU issues ;-)

Regards,

Martin

Von: Marty Nelson [mailto:MNelson-07YZtJczBOlWk0Htik3J/***@public.gmane.org]
Gesendet: Donnerstag, 26. März 2009 23:30
An: support-***@public.gmane.org
Betreff: [pfSense Support] Is there any reason I can't Remote desktop through an ipsec tunnel?

I have an IPSec tunnel connecting my network to one of our customer sites, and while I can ping a computer on their network I am unable to remote desktop to. Currently all of our customer tunnels are setup to terminate in our DMZ to limit access back into our network. I have a second firewall (monowall) in our DMZ that then routes all traffic out through the tunnel. I've drawn a rudimentary layout of how it's setup (see below).

I have the IPsec rules to pass all traffic, and currently I have it setup to log all traffic as well. What's strange is that when I attempt to remote desktop to it, I see no traffic relating to that at all. Nothing passing, nothing getting blocked. Like I said, I can ping the box just fine (and it shows up in the log), but I am unable to remote desktop to it and I don't see anything getting blocked, or passed.

Hopefully this made sense. If it's unclear, please let me know and I'll try my best to clear it up.

LAN (192.168)---[pfSenseFW]---DMZ (10.100)---[monowall]---[ipsec tunnel to cust site]---Cust site

Thanks,

-Marty
Marty Nelson
16 years ago
Permalink
That's a good point. Where would I see if that was an issue?

Thanks,

-Marty

From: Fuchs, Martin [mailto:martin.fuchs-***@public.gmane.org]
Sent: Thursday, March 26, 2009 5:11 PM
To: 'support-***@public.gmane.org'
Subject: [pfSense Support] AW: Is there any reason I can't Remote desktop through an ipsec tunnel?

Perhaps some kind of MTU issue ?
RDP often has MTU issues ;-)

Regards,

Martin

Von: Marty Nelson [mailto:MNelson-07YZtJczBOlWk0Htik3J/***@public.gmane.org]
Gesendet: Donnerstag, 26. März 2009 23:30
An: support-***@public.gmane.org
Betreff: [pfSense Support] Is there any reason I can't Remote desktop through an ipsec tunnel?

I have an IPSec tunnel connecting my network to one of our customer sites, and while I can ping a computer on their network I am unable to remote desktop to. Currently all of our customer tunnels are setup to terminate in our DMZ to limit access back into our network. I have a second firewall (monowall) in our DMZ that then routes all traffic out through the tunnel. I've drawn a rudimentary layout of how it's setup (see below).

I have the IPsec rules to pass all traffic, and currently I have it setup to log all traffic as well. What's strange is that when I attempt to remote desktop to it, I see no traffic relating to that at all. Nothing passing, nothing getting blocked. Like I said, I can ping the box just fine (and it shows up in the log), but I am unable to remote desktop to it and I don't see anything getting blocked, or passed.

Hopefully this made sense. If it's unclear, please let me know and I'll try my best to clear it up.

LAN (192.168)---[pfSenseFW]---DMZ (10.100)---[monowall]---[ipsec tunnel to cust site]---Cust site

Thanks,

-Marty
Fuchs, Martin
16 years ago
Permalink
Sometimes RDP connection cannot be established, sometimes the connection gets stuck...
You can try to lower the MTU on the WAN-side and see it the issie gets resolved...
Regards and good luzck, martin

Von: Marty Nelson [mailto:MNelson-07YZtJczBOlWk0Htik3J/***@public.gmane.org]
Gesendet: Freitag, 27. März 2009 15:43
An: support-***@public.gmane.org
Betreff: [pfSense Support] RE: Is there any reason I can't Remote desktop through an ipsec tunnel?

That's a good point. Where would I see if that was an issue?

Thanks,

-Marty

From: Fuchs, Martin [mailto:martin.fuchs-***@public.gmane.org]
Sent: Thursday, March 26, 2009 5:11 PM
To: 'support-***@public.gmane.org'
Subject: [pfSense Support] AW: Is there any reason I can't Remote desktop through an ipsec tunnel?

Perhaps some kind of MTU issue ?
RDP often has MTU issues ;-)

Regards,

Martin

Von: Marty Nelson [mailto:MNelson-07YZtJczBOlWk0Htik3J/***@public.gmane.org]
Gesendet: Donnerstag, 26. März 2009 23:30
An: support-***@public.gmane.org
Betreff: [pfSense Support] Is there any reason I can't Remote desktop through an ipsec tunnel?

I have an IPSec tunnel connecting my network to one of our customer sites, and while I can ping a computer on their network I am unable to remote desktop to. Currently all of our customer tunnels are setup to terminate in our DMZ to limit access back into our network. I have a second firewall (monowall) in our DMZ that then routes all traffic out through the tunnel. I've drawn a rudimentary layout of how it's setup (see below).

I have the IPsec rules to pass all traffic, and currently I have it setup to log all traffic as well. What's strange is that when I attempt to remote desktop to it, I see no traffic relating to that at all. Nothing passing, nothing getting blocked. Like I said, I can ping the box just fine (and it shows up in the log), but I am unable to remote desktop to it and I don't see anything getting blocked, or passed.

Hopefully this made sense. If it's unclear, please let me know and I'll try my best to clear it up.

LAN (192.168)---[pfSenseFW]---DMZ (10.100)---[monowall]---[ipsec tunnel to cust site]---Cust site

Thanks,

-Marty

Adam Armstrong
16 years ago
Permalink
...
I would say that it's almost certainly MTU-related. RDP always seems to
be the first thing hit by a failure of the pmtud mechanism to work.

The IPSEC tunnel will be reducing your MTU, and when the RDP server
tries to send out a packet it'll get dropped. Try reducing the MTU of
the interface of the server?

This usually manifests itself by the login screen background appearing
(presumably because it fits into < 1492 bytes), but then nothing more.
Doesn't sound exactly like what you're seeing, but RDP + IPSEC issues
are usually MTU-related IME.

adam.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Marty Nelson
16 years ago
Permalink
When you say to adjust the MTU on the server, forgive the question, but which server?

Thanks,

-Marty


-----Original Message-----
From: Adam Armstrong [mailto:lists-***@public.gmane.org]
Sent: Friday, March 27, 2009 2:14 AM
To: support-***@public.gmane.org
Subject: Re: [pfSense Support] Is there any reason I can't Remote desktop through an ipsec tunnel?
...
I would say that it's almost certainly MTU-related. RDP always seems to
be the first thing hit by a failure of the pmtud mechanism to work.

The IPSEC tunnel will be reducing your MTU, and when the RDP server
tries to send out a packet it'll get dropped. Try reducing the MTU of
the interface of the server?

This usually manifests itself by the login screen background appearing
(presumably because it fits into < 1492 bytes), but then nothing more.
Doesn't sound exactly like what you're seeing, but RDP + IPSEC issues
are usually MTU-related IME.

adam.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org


---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Loading...