From owner-freebsd-net@FreeBSD.ORG Mon Oct 24 21:19:27 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDFA416A41F for ; Mon, 24 Oct 2005 21:19:27 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from tce71.tce85.de (tce71.tce85.de [195.145.102.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4675543D49 for ; Mon, 24 Oct 2005 21:19:24 +0000 (GMT) (envelope-from volker@vwsoft.com) Received-SPF: unknown (tce71.tce85.de: error in processing during lookup of domain of vwsoft.com: Could not find a valid SPF record) client-ip=83.242.60.134; envelope-from=volker@vwsoft.com; helo=mail.vtec.ipme.de; Received: from mail.vtec.ipme.de (134-60-242-83.dip.h-tel.de [83.242.60.134]) by tce71.tce85.de (Postfix) with ESMTP id 74DAC17092 for ; Mon, 24 Oct 2005 23:19:21 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 7F69D5C4F; Mon, 24 Oct 2005 23:19:09 +0200 (CEST) Message-ID: <435D5DDE.60000@vwsoft.com> Date: Mon, 24 Oct 2005 23:19:10 +0100 From: Volker User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Thunderbird/1.0.6 Mnenhy/0.6.0.101 X-Accept-Language: en-us, en MIME-Version: 1.0 To: VANHULLEBUS Yvan References: <435C0C3A.6070000@shrew.net> <20051024073804.GA8190@zen.inc> <435D0641.2060208@shrew.net> <20051024160822.GB28295@zen.inc> In-Reply-To: <20051024160822.GB28295@zen.inc> X-Enigmail-Version: 0.92.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-TarmacCE-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com Cc: freebsd-net@freebsd.org, Matthew Grooms Subject: Re: IPSec tcp session stalling ( me too ) ... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 21:19:28 -0000 Yvan, >> 2) a gif tunnel > > No, and that's the main difference for now: I *never* used Gif > interfaces. And that's the point. When not using a gif interface to pass traffic through the IPSec tunnel, I don't see any trouble at all and everything works fine. As soon as a gif interface is involved, the tcp (haven't checked with udp) session running inside the gif tunnel breaks. When either not using IPSec, not enabling pf or not using gif - everything is fine. My setup always secured the outside of the tunnel. I haven't checked to secure the inside of the gif tunnel by using IPSec. Volker On 2005-10-24 17:08, VANHULLEBUS Yvan wrote: > On Mon, Oct 24, 2005 at 11:05:21AM -0500, Matthew Grooms wrote: > >>Yvan, >> >>VANHULLEBUS Yvan wrote: >> >> >>>We have *lots* of Gates running FreeBSD 4.11 and IPSEC (not >>>FAST_IPSEC), and I already have some 5.3 / 6.0 gates, also using >>>IPSEC. >>> >>> >>>Yvan. >>> >> >> I have a 4.11 server in production handling VPN traffic that is >>working perfectly as well. With 5.x or 6.x, my testing shows that >>traffic originating from a VPN gateway that traverses the tunnel works >>without a problem too. I only see this happen with TCP traffic, on 5.x+ >>while running a packet filter ( pf or ipfw ) and forwarding traffic >>sourced from a private network that matches the IPSEC security policy. > > > Ok. > > > >>Volker is seeing the problem with TCP traffic, when he is running 5.x+ >>while running a packet filter and forwarding gif tunnel traffic that >>matches the IPSEC security policy. > > > It really looks like we all experimented different problems (my > "problem" is the MTU issue I regulary see) which have "some common > aspects". > > > >> So, I appreciate your input by stating that your servers are not >>experiencing the same problem we are seeing. But before you dismiss the >>validity of our issue, you should be able to answer the yes to all of >>the following questions. > > > I don't dismiss anything, just telling that this not a "global IPSec > issue", but "something more specific". My first idea was the MTU > issue, it looks like it's not that. > > > >>Are you ... >> >>A) Running 5.x or 6.x > > > 6.0 on at least one production gate, and we are starting to do heavy > tests on some 5.4 gates (yes, I know, this can look strange, but the > 6.0 Gate is not related to our global "production"). > > > >>B) Running a packet filter > > > Pf on the 6.0 Gate, specific packet filter on 4.11 / 5.4 products. > > > >>C) Protecting traffic being forwarded from either >> 1) a private network > > > Yes > > >> 2) a gif tunnel > > > No, and that's the main difference for now: I *never* used Gif > interfaces. > > > >>D) Sending TCP traffic > > > I can answer "sending lots of TCP traffic, including, for example, > some large (lots of Mb) scp file transferts". > > > > Yvan. >