Date: Fri, 20 Dec 2019 16:26:25 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-net@freebsd.org Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> In-Reply-To: <20191220152314.GA55278@admin.sibptus.ru> References: <20191220152314.GA55278@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--ermzqeDQSJeJ4UDYy5FWzI7C2FtsHFwtt
Content-Type: multipart/mixed; boundary="5YEV8D7W5kPlr7Szdf0OtVLR0YDx3F0rC";
protected-headers="v1"
From: Kajetan Staszkiewicz <vegeta@tuxpowered.net>
To: freebsd-net@freebsd.org
Message-ID: <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net>
Subject: Re: IPSec transport mode, mtu, fragmentation...
References: <20191220152314.GA55278@admin.sibptus.ru>
In-Reply-To: <20191220152314.GA55278@admin.sibptus.ru>
--5YEV8D7W5kPlr7Szdf0OtVLR0YDx3F0rC
Content-Type: text/plain; charset=windows-1252
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable
On 20.12.19 16:23, Victor Sudakov wrote:
> Dear Colleagues,
>=20
> I've set up IPSec in transport mode between two regular FreeBSD hosts,
> for testing. Now TCP sessions between those hosts don't work normally
> any more. For example, scp is stalled almost immediately after starting=
> a file transfer, and so is interactive ssh eventually.
>=20
> I feel that the problem is somehow related to MTU, MSS and fragmentatio=
n
> of ESP packets, because:
>=20
> 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
> right.=20
>=20
> 2. When IPSec is enabled, the maximum packet size I've been able to sen=
d
> through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappear=
s
> in the void).
>=20
> I'm really at a loss what to do about that. In transport mode, there is=
> no network interface I could adjust MTU on, or run some kind of MSS
> fixer.
Maybe you could add route to the remote host with -mtu parameter. I've
never tested this because I have interfaces (either if_ipsec of if_gif
protected with transport mode IPSec) and I do mss clamping in pf, but
this could work.
--=20
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
--5YEV8D7W5kPlr7Szdf0OtVLR0YDx3F0rC--
--ermzqeDQSJeJ4UDYy5FWzI7C2FtsHFwtt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXfzoIQAKCRDjtFCvbXs6
FHzYAJ0WHM1BxFH/vqDMdNNOflw/QYtwfgCgwFKkVCdh4fMFfxB+PdpXRztkhyA=
=Qhp0
-----END PGP SIGNATURE-----
--ermzqeDQSJeJ4UDYy5FWzI7C2FtsHFwtt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f38d1f3c-dc47-0776-29f9-2151b05e09b0>