Date: Sat, 21 Dec 2019 08:16:45 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 242744] IPSec in transport mode between FreeBSD hosts blackholes TCP traffic Message-ID: <bug-242744-7501-MrDmhK6UWT@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-242744-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-242744-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D242744 Eugene Grosbein <eugen@freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open CC| |eugen@freebsd.org --- Comment #4 from Eugene Grosbein <eugen@freebsd.org> --- There are multiple ways to solve this problem that work just fine for FreeB= SD 11 at least. First, one can use IPSec transport mode combined with gif tunnel and mtu=3D= 1500 for the gif. Oversized IPv4 gif packets have DF bit set to 0, as per gif(4) manual page, so they get fragmented while being transmitted over path with lowest intermediate mtu 1500 or less and no packet drops occur. Second, one can try sysctl net.inet.ipsec.dfbit=3D0 that is documented in ipsec(4) manual page for IPSec tunnel mode but maybe it works for transport mode, too. Check it out. Maybe, you can switch your IPSec to tunnel mode. Third, you can adjust TCP MSS by means of packet filters. For example, ipfw currently has additional kernel module ipfw_pmod.ko and command ipfw tcp-setmss. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-242744-7501-MrDmhK6UWT>