From owner-freebsd-net@FreeBSD.ORG Fri Jan 23 14:19:43 2015 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1722B307 for ; Fri, 23 Jan 2015 14:19:43 +0000 (UTC) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 8357EB65 for ; Fri, 23 Jan 2015 14:19:41 +0000 (UTC) Received: from nono (nono.zen.inc [192.168.1.95]) by smtp.zeninc.net (smtpd) with ESMTP id 119022798C4; Fri, 23 Jan 2015 15:13:38 +0100 (CET) Received: by nono (Postfix, from userid 1000) id E5F93202C4; Fri, 23 Jan 2015 15:13:37 +0100 (CET) Date: Fri, 23 Jan 2015 15:13:37 +0100 From: VANHULLEBUS Yvan To: Andrei Brezan Subject: Re: IPSEC MTU routing issue Message-ID: <20150123141337.GA13989@zeninc.net> References: <54BFB4B5.3070705@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <54BFB4B5.3070705@gmail.com> User-Agent: All mail clients suck. This one just sucks less. Cc: net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2015 14:19:43 -0000 Hi. On Wed, Jan 21, 2015 at 03:16:21PM +0100, Andrei Brezan wrote: > Weird subject, maybe. > > I'm running FreeBSD-10.0-RELEASE with PF as firewall and racoon for > IPSEC. The IPSEC tunnel is between the FreeBSD box and a Fortinet > appliance. > > The IPSEC tunnel comes up and on a quick test it seems to be > working, icmp between networks is ok, you can successfully telnet on > services on the other side. However when you need to transfer some > data strange things happen. I'm really trying to wrap my head around > it and I still don't understand why it happens > (http://pastebin.com/NAspcM9w). The packets smaller than 1260 and > larger than 1417 are delivered to vlan103, the ones in between are > not. I'm not sure why do you have this strange issue. Having a look at your IPsec/ESP related kernel stats may give a first idea. But I know that, even if you find a fix for this, you'll have very poor performances as soon as packets start to be fragmented, and your data transferts may just stall forever. So, the usual way of solving that is to change the TCPMSS "low enough" on the fly for all IPsec related trafic. 1300 is a common value, low enough to avoid fragmentation, and high enough to keep good throughput. Of course, this will only works for TCP, but most big packets / long flows are done on TCP. Yvan. > If anyone has any idea why this might happen please shed some light. > > # tcpdump -nttti gif0 > > 00:00:00.000000 IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id > 21034, seq 1, length 1108 > 00:00:43.603248 IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id > 22826, seq 1, length 1308 > > # tcpdump -nttti enc0 > > 00:00:00.000000 (authentic,confidential): SPI 0x0d06e35d: IP > 109.235.79.81 > 193.239.202.174: IP "a.b.c.d" > "e.f.g.h": ICMP echo > request, id 21034, seq 1, length 1108 (ipip-proto-4) > 00:00:00.000139 (authentic,confidential): SPI 0x86741d6b: IP > "e.f.g.h" > "a.b.c.d": ICMP echo reply, id 21034, seq 1, length 1108 > 00:00:00.000006 (authentic,confidential): SPI 0x86741d6b: IP > 193.239.202.174 > 109.235.79.81: IP "e.f.g.h" > "a.b.c.d": ICMP echo > reply, id 21034, seq 1, length 1108 (ipip-proto-4) > 00:00:43.603102 (authentic,confidential): SPI 0x0d06e35d: IP > 109.235.79.81 > 193.239.202.174: IP "a.b.c.d" > "e.f.g.h": ICMP echo > request, id 22826, seq 1, length 1308 (ipip-proto-4) > > # tcpdump -nttti vlan103 host "a.b.c.d" > > 00:00:00.000000 IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id > 21034, seq 1, length 1108 > 00:00:00.000109 IP "e.f.g.h" > "a.b.c.d": ICMP echo reply, id 21034, > seq 1, length 1108 > > Thanks, > > -- > Andrei > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"