Date: Sun, 4 Jun 2006 23:11:41 -0400 From: Christopher Sean Hilton <chilton@vindaloo.com> To: freebsd-questions@freebsd.org Subject: IPSec tcp session stalling Message-ID: <20060605031141.GA1048@dagobah.vindaloo.com> In-Reply-To: <44832BBC.2070600@FreeBSD.org> References: <44832827.7030403@FreeBSD.org> <b2203fed0606041147n2a0ba20ra619f8a7b197fb22@mail.gmail.com> <44832BBC.2070600@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm having a problem with aFreeBSD workstation that tried to connect
to a remote VPN via an IPSec tunnel. Here's my setup:
A FreeBSD workstation: W
An OpenBSD router: LR
And another OpenBSD router: RR
A remote FreeBSD server: S
LR and RR are connected via an IPSec tunnel. W shares the local
ethernet with LR and LR is W's default gateway. S shares the remote
ethernet with RR and RR is S's default gateway.
The problem comes when I use scp. If I try to send a file bigger than
1400 bytes or so from W to S or vice versa the connection stalls and I
seem to be left waiting for Godot. If I tcpdump the connection I see
that when sending a file from W to S, LR sends W an ICMP message which
states that the last tcp packet was too large and it should change
it's MTU. But the connection stalls right there. I noticed that
OpenBSD has a flag on scrub rules called no-df which strips the Don't
Fragment flag from the packet. Turning this bit on fixes the problem.
I'm wondering why FreeBSD doesn't send anything after it gets the ICMP
message which states that it needs to change it's mtu for that
connection?
-- Chris
--
Chris Hilton chris-at-vindaloo-dot-com
------------------------------------------------------------------------
"All I was doing was trying to get home from work!"
-- Rosa Parks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060605031141.GA1048>