Created on ‎07-14-2011 07:00 AM
E:\>ping 192.168.40.3 -l 3072 Pinging 192.168.40.3 with 3072 bytes of data: Reply from 192.168.40.3: bytes=3072 time=133ms TTL=126 Reply from 192.168.40.3: bytes=3072 time=134ms TTL=126 Reply from 192.168.40.3: bytes=3072 time=133ms TTL=126 Reply from 192.168.40.3: bytes=3072 time=133ms TTL=126 Ping statistics for 192.168.40.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 133ms, Maximum = 134ms, Average = 133msThis is a plain vanilla IPSec VPN tunnel to a FGT in a different city. I tested with tunnel initially down or up, same result.
PCNSE
NSE
StrongSwan
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
The biger packet I can send is 1410 byteSo that should be the payload size. What' s your internet access line ? DSL? To answer the other information, the DF status would be capture with a tcpdump or tshark/wireshark tool. Not sure if the diagnose sniffer would display this. The packets are probably being dropped during the tunnel encapsulation. I' m not sure or never heard of tunnel information handling anything with regards to DF bits or anything within the IPnIP encapsulation that IPSEC has. Do determine if the access-line is the culprit, have you tried oversize pings from outside the tunnel to something else on the internet? And with and without DF set? This would give you an ideal of the path MTU size. e.g ( 2 different pings from my wire to www google with the Don' t frag set using the unix ping on openbsd ) $ ping -D -s 1470 -c 4 www.google.com PING www.l.google.com (74.125.71.104): 1470 data bytes 72 bytes from 74.125.71.104: icmp_seq=0 ttl=52 time=155.182 ms (TRUNC!) 72 bytes from 74.125.71.104: icmp_seq=1 ttl=52 time=155.999 ms (TRUNC!) 72 bytes from 74.125.71.104: icmp_seq=2 ttl=52 time=155.236 ms (TRUNC!) 72 bytes from 74.125.71.104: icmp_seq=3 ttl=52 time=155.824 ms (TRUNC!) --- www.l.google.com ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 155.182/155.560/155.999/0.453 ms $ ping -D -s 1479 -c 4 www.google.com PING www.l.google.com (74.125.71.103): 1479 data bytes ping: sendto: Message too long ping: wrote www.l.google.com 1507 chars, ret=-1 ping: sendto: Message too long ping: wrote www.l.google.com 1507 chars, ret=-1 ping: sendto: Message too long ping: wrote www.l.google.com 1507 chars, ret=-1 ping: sendto: Message too long ping: wrote www.l.google.com 1507 chars, ret=-1
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
config system interface edit " port1" set vdom " root" set ip 192.168.2.1 255.255.255.0 set allowaccess ping https ssh snmp telnet set type physical set tcp-mss 1400 set description " Inside (gateway) interface" set alias " LAN" next end
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
User | Count |
---|---|
2674 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.