Date: Thu, 29 Jan 2015 10:48:18 +0100 From: Andrei Brezan <andrei693@gmail.com> Cc: net@freebsd.org Subject: Re: IPSEC MTU routing issue Message-ID: <54CA01E2.2040404@gmail.com> In-Reply-To: <20150123141337.GA13989@zeninc.net> References: <54BFB4B5.3070705@gmail.com> <20150123141337.GA13989@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/23/15 15:13, VANHULLEBUS Yvan wrote: > Hi. > > On Wed, Jan 21, 2015 at 03:16:21PM +0100, Andrei Brezan wrote: >> Weird subject, maybe. >> >> I'm running FreeBSD-10.0-RELEASE with PF as firewall and racoon for >> IPSEC. The IPSEC tunnel is between the FreeBSD box and a Fortinet >> appliance. >> >> The IPSEC tunnel comes up and on a quick test it seems to be >> working, icmp between networks is ok, you can successfully telnet on >> services on the other side. However when you need to transfer some >> data strange things happen. I'm really trying to wrap my head around >> it and I still don't understand why it happens >> (http://pastebin.com/NAspcM9w). The packets smaller than 1260 and >> larger than 1417 are delivered to vlan103, the ones in between are >> not. > > I'm not sure why do you have this strange issue. > Having a look at your IPsec/ESP related kernel stats may give a first > idea. > > > But I know that, even if you find a fix for this, you'll have very > poor performances as soon as packets start to be fragmented, and your > data transferts may just stall forever. > > So, the usual way of solving that is to change the TCPMSS "low enough" > on the fly for all IPsec related trafic. > 1300 is a common value, low enough to avoid fragmentation, and high > enough to keep good throughput. > > Of course, this will only works for TCP, but most big packets / long > flows are done on TCP. > Thanks Yvan, The ICMP started working at some point, most likely when I changed something in my config or the other side did, wasn't able to identify it. I still had the issues specified in this thread https://forums.freebsd.org/threads/ipsec-racoon-gif-packet-routing-issues-transfer-stall-fail.50085/ I managed to resolve the problems with an update from Release 10.0 to 10.1 -- Andrei
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54CA01E2.2040404>