Date: Tue, 25 Oct 2005 00:07:43 +0100 From: Volker <volker@vwsoft.com> To: freebsd-net@freebsd.org Subject: more on IPSec + gif stalling Message-ID: <435D693F.5090502@vwsoft.com>
next in thread | raw e-mail | index | archive | help
Hi guys! I've done another test on the IPSec + gif issue. Here at my home network I'm running a RELENG_6 box and I've also just setup a 2nd test server (RELEASE_5_4). Both are connected by a direct 100 MBit/s LAN connection. Set up IPSec rules for both machines, created a gif tunnel between both and send traffic through the tunnel and the result is the same. As soon as some amount of data (somewhat around 56k to 64k) has been transferred through the gif tunnel, the transfer session stalls. When not using a gif tunnel over IPSec, everything is fine. This means: IPSec + gif + firewall (pf) = tcp sessions within the gif tunnel stalls IPSec + gif - firewall = just works IPSec - gif + firewall = just works -IPSec + gif + firewall = just works In my test scenario I've secured the outside of the gif tunnel by IPSec. I haven't checked what happens when the inside of the gif tunnel is being secured by IPSec. Also I've checked with both kernel options IPSEC and FAST_IPSEC. It didn't make a difference. I've checked the inside of the gif tunnel and the outside for suspicious packets but couldn't find one. I've checked for IPSec tunnel mode and transport mode and as soon as I'm using a gif tunnel, a data session running inside the gif tunnel dies sooner or later (transport/tunnel does not make any difference to this issue). When disabling the firewall (pf) at the __senders' side__ (important!) the data transfer does not stall. Nothing is being blocked by the firewall (tripple checked). It's not just pf as ipfw is being reported to the same effect. pf 'scrub' rules doesn't make any difference (tested with and without scrubbing). Really, I don't believe this is an MTU issue. In my test scenario I've two hosts directly connected via ethernet (100BaseT), MTU = 1500, gif MTU = 1280, no router between. If somebody else is using a gif tunnel over IPSec on a recent release (RELENG_5/6, RELEASE_5_x) plus firewall, please provide me (by private email) with your kernel config, racoon.conf and your ipsec rules. That way I might check out different kernel settings and test that out here using my test setup. When talking about 'tcp session within the gif tunnel': I haven't checked if this also happens to udp. I've checked tcp sessions through the gif tunnel by scp and a plain ascii transfer by using (g)netcat. Matthew and me have dealt out to test an IPSec + gif setup over the public internet one more time. I bet this will show the stalling, too. bye, Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?435D693F.5090502>