Date: Fri, 24 Oct 2003 17:26:49 +0200 From: Eric Masson <e-masson@kisoft-services.com> To: Mailing List FreeBSD Network <freebsd-net@FreeBSD.org> Subject: ipsec tunnels & packet length issues Message-ID: <8665iehd1i.fsf@t39bsdems.interne.kisoft-services.com>
next in thread | raw e-mail | index | archive | help
Hello,
I'm facing a problem with the following setup :
+-----------------+ DMZ +----+ LAN +------+
Internet ---------+ Tunnel Endpoint +-----+ Fw +-----+ Host |
+-----------------+ +----+ +------+
"Tunnel Endpoint" : FreeBSD 4.8-RELEASE with fastipsec on a NET4801
"Fw" : Firewall 1
"Host" : Any host (tested with FreeBSD 5.1-CURRENT, Linux
RH9)
When I'm connecting to "Host" in "Lan" from a box connected to the other
end of a tunnel managed by "Tunnel Endpoint", the following happens :
- back traffic is composed of small sized packets, everything works fine
- back traffic is composed of packets Lan mtu sized, connexion freezes.
>From a tcpdump on the dmz interface of "Tunnel Endpoint", traffic from
"Host" comes fine.
Traffic on "Internet" interface differs depending on the size of packets
coming from "Host" :
- small sized packets : ESP tunnel packets with correct SPI flows out
- Lan mtu sized packets : ESP tunnel packets frags
If i reduce lan interface mtu on "Host" to approximately 1450, the
tunnel works fine, so it seems that "Tunnel Endpoint" can't process
correctly packets with a size of 1500 bytes.
If more information regarding this issue is needed, just ask.
Is this a known issue ?
Except playing with mtu, is there a fix ?
TIA
Regards
Eric Masson
--
Attention tous message a l'encontre d'un usager de mediabarre sera
signalé aux autoriter compétente
-+- Crétin in <http://www.le-gnu.net>; : Con pas pétant signalé.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8665iehd1i.fsf>