Date: Fri, 20 Dec 2019 22:23:14 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-net@freebsd.org Subject: IPSec transport mode, mtu, fragmentation... Message-ID: <20191220152314.GA55278@admin.sibptus.ru>
next in thread | raw e-mail | index | archive | help
--3V7upXqbjpZ4EhLz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Dear Colleagues,
I've set up IPSec in transport mode between two regular FreeBSD hosts,
for testing. Now TCP sessions between those hosts don't work normally
any more. For example, scp is stalled almost immediately after starting
a file transfer, and so is interactive ssh eventually.
I feel that the problem is somehow related to MTU, MSS and fragmentation
of ESP packets, because:
1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
right.=20
2. When IPSec is enabled, the maximum packet size I've been able to send
through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappears
in the void).
I'm really at a loss what to do about that. In transport mode, there is
no network interface I could adjust MTU on, or run some kind of MSS
fixer.
PS And I'm talking about IPv4 only for now, but "{scp, ssh} -6" is stalling=
too.
--=20
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
--3V7upXqbjpZ4EhLz
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJd/OdiAAoJEA2k8lmbXsY0zDAH+wUmN1zez/0LC2AQRj3MMabv
Ri7HkEHnFcQ3e/01qGAhM3n8Jks6xmmPJ49uiyrGoMx/A75J7g9gw562HvSzDxmg
tlUe/WYi1uzyVd+2li/+XW1iwrbJLYTar1vj5+dxMh66lHibpYR+bXf8Xl4BG2o6
gSjSDo7w0uisCHIXT30BKPClsPid/HJJaXdDJgH1NGBer8sV12GXQQ/U7Hc8F/4w
2M32i6PwmkL7CZ0a+8AZxkHtiO7IJ5Q2rIfryOGog9OBxVyNb7ZW+29fVp9lnbez
E5PF8z2UvPQvcX++O+wB2oP4rWgxsLoTYwOJE29kJZOgpRCiTOdzk47FgDwFktU=
=OWI/
-----END PGP SIGNATURE-----
--3V7upXqbjpZ4EhLz--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191220152314.GA55278>