From owner-freebsd-net@freebsd.org Fri Dec 20 16:03:59 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D97331DCEDA for ; Fri, 20 Dec 2019 16:03:59 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47fYTC0pZ4z46PV for ; Fri, 20 Dec 2019 16:03:58 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=z776uz/uHCfYZykiFge/6SYIdViO9B6/BKtBPDBjLpY=; b=dvFB4pKIFez2qRBf45Rl/7IWPI ovUyYPucurP74+Wt0Xv3ejpWUFkTo1czUQE9g0xhJ8yeE1jb/hUl0+BLoxlkqIJiUSZnnyWDeuFV9 kIzAffYyx7V1cPqEqi+yhcMrAakwsOAz2fEuE5zZPwztSwrH2bWz5BRMF8s4dQeAvXW8=; Received: from vas by admin.sibptus.ru with local (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1iiKkv-000Ehc-OV for freebsd-net@freebsd.org; Fri, 20 Dec 2019 23:03:57 +0700 Date: Fri, 20 Dec 2019 23:03:57 +0700 From: Victor Sudakov To: freebsd-net@freebsd.org Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <20191220160357.GB56081@admin.sibptus.ru> References: <20191220152314.GA55278@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3uo+9/B/ebqu+fSQ" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.2 (2019-09-21) X-Rspamd-Queue-Id: 47fYTC0pZ4z46PV X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=dvFB4pKI; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-8.50 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-3.40)[ip: (-9.88), ipnet: 2001:19f0:5000::/38(-4.94), asn: 20473(-2.14), country: US(-0.05)]; DKIM_TRACE(0.00)[sibptus.ru:+]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Dec 2019 16:03:59 -0000 --3uo+9/B/ebqu+fSQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Kajetan Staszkiewicz wrote: > On 20.12.19 16:23, Victor Sudakov wrote: > > Dear Colleagues, > >=20 > > I've set up IPSec in transport mode between two regular FreeBSD hosts, > > for testing. Now TCP sessions between those hosts don't work normally > > any more. For example, scp is stalled almost immediately after starting > > a file transfer, and so is interactive ssh eventually. > >=20 > > I feel that the problem is somehow related to MTU, MSS and fragmentation > > of ESP packets, because: > >=20 > > 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all > > right.=20 > >=20 > > 2. When IPSec is enabled, the maximum packet size I've been able to send > > through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappears > > in the void). > >=20 > > I'm really at a loss what to do about that. In transport mode, there is > > no network interface I could adjust MTU on, or run some kind of MSS > > fixer. >=20 > Maybe you could add route to the remote host with -mtu parameter.=20 Just tried "route add -host host-b -mtu 1400 gw". The route is there with the right mtu (according to "route get host-b") but it did not help. Probably the packet is intercepted by IPsec before it gets into routing. What gives? Setting up IPsec transport mode between hosts should be a simple thing which *just* *works*. What's the root of the problem? ESP packets cannot get fragmented or what?=20 > I've > never tested this because I have interfaces (either if_ipsec of if_gif > protected with transport mode IPSec) and I do mss clamping in pf, but > this could work. My goal being the creation of an IPSec protected network between several hosts (running on X.509 certificates to enable automatic traffic protection), configuring tunnels or additional interfaces on each host would be unfeasible. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --3uo+9/B/ebqu+fSQ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd/PDtAAoJEA2k8lmbXsY0nYEH/iyHnSBMuUfPvozZRzSnxUUc zTC4gTq8XMWTiVmPs14kt8KfBIT7hm5YCGypYm22xcZI0W19gbkoSjFyTzO1pgQY DmQSQVGwNFgbPYGLmzeMjYoVu0ztdgDOWYKM7WEpIgRaHXaduqXoFgHSB86FBvUm TA3MUP3KXSWHF3V6BrD6l6sndl0wvreOLbUY0V5NaYPQhbqC83DQBNh1iP4vPdKE SAqbm3WJNjfHxElw2BPxA1n7YIS+cGeb6frwdcSctiH6bHd+Nxr5BQXJaW3ztsdu jWoEbgRNLeAIU0ArKZZKMbZQaNtTJqsXC6JsvGJE8NFrX65rqMLcuu7IrBnsHpM= =t+9/ -----END PGP SIGNATURE----- --3uo+9/B/ebqu+fSQ--