From owner-freebsd-net@FreeBSD.ORG  Mon Oct 30 10:38:38 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 02ECC16A403
	for <freebsd-net@freebsd.org>; Mon, 30 Oct 2006 10:38:38 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5DAFE43D58
	for <freebsd-net@freebsd.org>; Mon, 30 Oct 2006 10:38:36 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: by smtp.zeninc.net (smtpd, from userid 1000)
	id 10E523F17; Mon, 30 Oct 2006 11:38:35 +0100 (CET)
Date: Mon, 30 Oct 2006 11:38:34 +0100
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-net@freebsd.org
Message-ID: <20061030103834.GB9549@zen.inc>
References: <20061027203322.X2293@gauntlet.os.org.za>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20061027203322.X2293@gauntlet.os.org.za>
User-Agent: All mail clients suck. This one just sucks less.
Subject: Re: Path MTU discovery broken in IPSec
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2006 10:38:38 -0000

On Fri, Oct 27, 2006 at 09:03:35PM +0200, Khetan Gajjar wrote:
> Hi.

Hi.

[....]
> racoon does its thing, and the ipsec tunnels come up. I can ping
> both sides, and there are no ipfw rules running. Connectivity via
> ssh and nfs seems to work fine, as do DNS zone transfers (for very
> small zones).
> 
> Connectivity from host 2 to host 1 works perfectly. From host 1
> to host 2 however, TCP sessions break / stall / timeout. I've tried
> reducing the MTU sizes from the default 1500 to 1492 on both
> interfaces, and that makes no difference.

Try to lower it again (or, simpler, try to lower the TCPMSS on the fly
on one of the IPSec gates), to generate TCP packets with a size lower
than... well, 1300 should probably be enough, but you can also try
directly with a very small value (lower than 1000) to be sure it is /
is not related to that.


Yvan.

-- 
NETASQ
http://www.netasq.com