From owner-freebsd-net@freebsd.org  Fri Dec 20 15:23:22 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4EDD21DC0F8
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Fri, 20 Dec 2019 15:23:22 +0000 (UTC) (envelope-from vas@sibptus.ru)
Received: from admin.sibptus.ru (admin.sibptus.ru
 [IPv6:2001:19f0:5001:21dc::10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 47fXZK132Bz44N5
 for <freebsd-net@freebsd.org>; Fri, 20 Dec 2019 15:23:20 +0000 (UTC)
 (envelope-from vas@sibptus.ru)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; 
 s=20181118; h=Message-ID:Subject:To:From:Date:In-Reply-To;
 bh=2XiwxmAryV4rLLIg1cLaypsJLA71ivrutF+z7lu7M9s=; b=o7K9OKBxLT5GC7Pg8Ka8nIlP0R
 jzCqKMdY2EusrXJtWp8WNwVBIjDNJwJOYWhbogZPCLN+TD1+rYJZsbLoKI5EED22X2+L9jZQyiWsb
 Z78pCI04wpDYVn53vc1qK5VitV+q8VSGRgDFKku6Ftg1DncoHfEcSi0+WJqSkU7XigFY=;
Received: from vas by admin.sibptus.ru with local (Exim 4.92.3 (FreeBSD))
 (envelope-from <vas@sibptus.ru>) id 1iiK7W-000ETT-2L
 for freebsd-net@freebsd.org; Fri, 20 Dec 2019 22:23:14 +0700
Date: Fri, 20 Dec 2019 22:23:14 +0700
From: Victor Sudakov <vas@sibptus.ru>
To: freebsd-net@freebsd.org
Subject: IPSec transport mode, mtu, fragmentation...
Message-ID: <20191220152314.GA55278@admin.sibptus.ru>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz"
Content-Disposition: inline
X-PGP-Key: http://admin.sibptus.ru/~vas/
X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9  3532 0DA4 F259 9B5E C634
User-Agent: Mutt/1.12.2 (2019-09-21)
X-Rspamd-Queue-Id: 47fXZK132Bz44N5
X-Spamd-Bar: --------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=sibptus.ru header.s=20181118 header.b=o7K9OKBx;
 dmarc=pass (policy=none) header.from=sibptus.ru;
 spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates
 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru
X-Spamd-Result: default: False [-8.50 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118];
 FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RCPT_COUNT_ONE(0.00)[1];
 IP_SCORE(-3.40)[ip: (-9.88), ipnet: 2001:19f0:5000::/38(-4.94), asn:
 20473(-2.13), country: US(-0.05)]; 
 DKIM_TRACE(0.00)[sibptus.ru:+];
 DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none];
 SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 15:23:22 -0000


--3V7upXqbjpZ4EhLz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Dear Colleagues,

I've set up IPSec in transport mode between two regular FreeBSD hosts,
for testing. Now TCP sessions between those hosts don't work normally
any more. For example, scp is stalled almost immediately after starting
a file transfer, and so is interactive ssh eventually.

I feel that the problem is somehow related to MTU, MSS and fragmentation
of ESP packets, because:

1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
right.=20

2. When IPSec is enabled, the maximum packet size I've been able to send
through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappears
in the void).

I'm really at a loss what to do about that. In transport mode, there is
no network interface I could adjust MTU on, or run some kind of MSS
fixer.

PS And I'm talking about IPv4 only for now, but "{scp, ssh} -6" is stalling=
 too.


--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--3V7upXqbjpZ4EhLz
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJd/OdiAAoJEA2k8lmbXsY0zDAH+wUmN1zez/0LC2AQRj3MMabv
Ri7HkEHnFcQ3e/01qGAhM3n8Jks6xmmPJ49uiyrGoMx/A75J7g9gw562HvSzDxmg
tlUe/WYi1uzyVd+2li/+XW1iwrbJLYTar1vj5+dxMh66lHibpYR+bXf8Xl4BG2o6
gSjSDo7w0uisCHIXT30BKPClsPid/HJJaXdDJgH1NGBer8sV12GXQQ/U7Hc8F/4w
2M32i6PwmkL7CZ0a+8AZxkHtiO7IJ5Q2rIfryOGog9OBxVyNb7ZW+29fVp9lnbez
E5PF8z2UvPQvcX++O+wB2oP4rWgxsLoTYwOJE29kJZOgpRCiTOdzk47FgDwFktU=
=OWI/
-----END PGP SIGNATURE-----

--3V7upXqbjpZ4EhLz--