Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 Dec 2019 18:41:02 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 242744] IPSec in transport mode between FreeBSD hosts blackholes TCP traffic
Message-ID:  <bug-242744-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D242744

            Bug ID: 242744
           Summary: IPSec in transport mode between FreeBSD hosts
                    blackholes TCP traffic
           Product: Base System
           Version: 12.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: vas@sibptus.ru

When you configure transport mode IPSec between two FreeBSD hosts (no tunne=
ls
or if_ipsec), TCP connectivity between those hosts breaks. It happens becau=
se
a) ESP packets are always generated with the DF flag set, b) PMTUD does not
work in IPSec transport mode because there is no interface (?) c) when TCP
segments of standard size are encapsulated into ESP packets, the resulting
oversized ESP packets cannot pass through any interface with MTU=3D1500, no=
r can
they be fragmented because of the DF flag, so they are just blackholed and
never leave the host.

How to reproduce. Configure a simple transport mode IPSec between two FreeB=
SD
hosts and try to scp files from one host to another. The file transfer will
inevitably stall, until you clear all IPSec policies. Watch with tcpdump: a=
ll
ESP packets have the DF flag set, but large ESP packets will be missing.

A workaround. A host route to the peer with "-mtu 1400" can be configured as
described in
https://lists.freebsd.org/pipermail/freebsd-net/2019-December/054952.html b=
ut
it is not scalable.

What is to be done. ESP packets should not have the DF flags set by default=
 for
things to "just work."

I've checked that the net.inet.ipsec.dfbit does not affect transport mode.
Regardless of its value, the DF flag is always on.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-242744-227>