From owner-freebsd-net@freebsd.org Fri Dec 20 15:26:38 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1703A1DC2B5 for ; Fri, 20 Dec 2019 15:26:38 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47fXf46dZ3z44bP for ; Fri, 20 Dec 2019 15:26:36 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-wm1-x344.google.com with SMTP id p17so9660220wmb.0 for ; Fri, 20 Dec 2019 07:26:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=XGIysxh2H7ZxcaPg7yzqDbzgB4yeLyg0ASmF0EpTtys=; b=eusWsq842C4g1CfjOwPljr/vm5Hylf9mtXM1r5NCCzV80ngvwFKdK1iXakN2IgDeIh 8E+WzHsnJGYwd9hbemy4bSjillJf5Wa3XV3wh4MWV+xsWZVdTLHCJ2T3fUDQSsvUbcb8 ieKU6D2GVkBu4L23bB8XLxGRlQnbibgUNdTAN/inc+ky7DiO7Fj7tzXKQduUyZOfL5QG c0S/7mb/PX9hVLzn8rn+tc1/jXL+/rANTW1zcGQ958CEl2y3BBLDBTwb5ZqnFMwenIsW 2Jm9ZK/H9IHPegRZOUhX2NeObnOjpolTJX6YHAHA6lfisaiYOYk3+V1inFkNgpieA0pl sQ9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=XGIysxh2H7ZxcaPg7yzqDbzgB4yeLyg0ASmF0EpTtys=; b=ApBMEMQm5pj4IrqnF9FdmJ825F2NGB7Rqw3z6g7YZVQZGowSR7Z3fAoGdB3y2X2Vz9 ytJ+eyThhEgbacfyEED2ndvnhzBnwzcYesEay/g67IPuSTVeRhVRNfCSn2R457cXeuQt LwywEh/XQcfMH0K3NWFcEJSBYp4IjngtJBRJoGJ0a0UIMtomTtUUNeO/SLqZw3rhpIwU rgcjTi0L17Yjef41HBiX5baWfIIgoj7kXRUfTXiNJdLlG8AzTeB5XwAnvQJ1OrDmtPzn 7TGqVUVoGCGIHY9GfHV3uxlZQYHKElMlveTZNrwq25VBdiUEUDqVbYCxbnAnCXUigzOW HXVg== X-Gm-Message-State: APjAAAUs9UOii1mIjte80Oq6NhcDkG7TYjX0QPNjeapvBmWDVHOYxYUd lTHE1hLwAMqGPQuAmenoUkekSNFj6ck= X-Google-Smtp-Source: APXvYqx2leXVpJhiq+GKtTAHF7jUAF3x4t2xB992GDqSGiYsvcH83oKlbiseLc4PVFIV1E0C+NXEkQ== X-Received: by 2002:a1c:9896:: with SMTP id a144mr17088419wme.116.1576855594886; Fri, 20 Dec 2019 07:26:34 -0800 (PST) Received: from Proton.local ([212.48.107.10]) by smtp.gmail.com with ESMTPSA id f127sm8649096wma.4.2019.12.20.07.26.33 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Dec 2019 07:26:33 -0800 (PST) Subject: Re: IPSec transport mode, mtu, fragmentation... To: freebsd-net@freebsd.org References: <20191220152314.GA55278@admin.sibptus.ru> From: Kajetan Staszkiewicz Openpgp: preference=signencrypt Autocrypt: addr=vegeta@tuxpowered.net; keydata= mQGiBELvVycRBADVGZM8mHAsH+R87EBg4O+QTOkL0TjroqamohMlCdBEZgFGcGVoKA9c9Az6 e7xpk90DuaWYrzBKJ+I5drx2ddqdqejLhgNm3QZubE8Cf9cCxBAxnxBZHzmmgVJMOg93lJUQ e9L1BstntodE2xz4jSBB++Zh9eZgRqbn/EICcQmmKwCg9pQfnXRAMr4tFxhsFenxa/JCvFME AK/03irNfB8DezORCfpt7lZuwL5oRJ/TvpoCfwgVkNd6gTLMgSQpKbFytLzAAmRsE+EwVpBo sUzKt4vzmW4bllgPao14TyuVcViah27/da3fHm1HIMkjvro/ONtUivInn+5L33S0meT3KyuK ofwc1A6KucNxhv4rG7RsXuhwZZmQA/0QVni2wq7yc6t15dfCxuDCxG7yXp4pE5Dghp/MMwts leIxJ3JdHaTZ9aIrYT2Rxw8mTXUs89pDi7PCqXA2N4C+RvkoZI0Q6cWs6jHNZGiZRVzkw38r 8ctqtAlcfzlAynX5+Ym9oiNMJ/c/4fAiFrWerMR1rFWDSD56ltQHk0X0oLQsS2FqZXRhbiBT dGFzemtpZXdpY3ogPHZlZ2V0YUB0dXhwb3dlcmVkLm5ldD6IewQTEQgAOwYLCQgHAwIDFQID AxYCAQIeAQIXgAIZARYhBI4RBk5u/YHyZ/QlueO0UK9tezoUBQJd5qIlBQkeucAOAAoJEOO0 UK9tezoUR7cAoIk0VDEW+znh8hbw3zDgnLhKMOj3AJ92fUPkB7huUEtUHtnjJWXNlHAnqLkB DQRC71cpEAQAjXEOKfj9O4eYTWcifEApMYzel9+aWmhNRqqUhJuNO40UDF73biRJ0cjd8miV hZGxcqIdjnZUmxn8Okr+ta7ZU4Q2KNw7B23VKd1jzDKalaUGtCbv8pnvFdBCJwwzdhHJ2vxr e7zkGMrU4x5Od/92YZRCgX229Ic8y7muveQty4sAAwYD/A/FKDQkIu16GVOu9g8ZBLLBi1HS h2eiem/efmfZS1APR7Q5Ouf6KJMeEgBCKY9yqEp9wg97Bt93oi3zP0H1I8rLmrj5hoEE/VEj Cc4XSQ3qrthmQ9bE8fPDZIgodPG1h+dlOzDQoUxKM/YZdbKmV8VkegbAmEng9rJk90gJ+7Qt iGMEGBEIACMWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXDcogwUJGzo2agAKCRDjtFCvbXs6 FNsqAJ9naj/37JF2c1HjhO/4xosKOtGX/QCgn5ADg8fykMSnWmIR0GO/xq9LEzs= Message-ID: Date: Fri, 20 Dec 2019 16:26:25 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <20191220152314.GA55278@admin.sibptus.ru> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ermzqeDQSJeJ4UDYy5FWzI7C2FtsHFwtt" X-Rspamd-Queue-Id: 47fXf46dZ3z44bP X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tuxpowered-net.20150623.gappssmtp.com header.s=20150623 header.b=eusWsq84; dmarc=none; spf=pass (mx1.freebsd.org: domain of vegeta@tuxpowered.net designates 2a00:1450:4864:20::344 as permitted sender) smtp.mailfrom=vegeta@tuxpowered.net X-Spamd-Result: default: False [1.05 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(0.00)[+ip6:2a00:1450:4000::/36]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[tuxpowered-net.20150623.gappssmtp.com:+]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; IP_SCORE(-0.41)[ip: (2.57), ipnet: 2a00:1450::/32(-2.65), asn: 15169(-1.89), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_XBL(5.00)[10.107.48.212.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.4]; R_DKIM_ALLOW(0.00)[tuxpowered-net.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-0.79)[-0.785,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.66)[-0.662,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; DMARC_NA(0.00)[tuxpowered.net]; RCPT_COUNT_ONE(0.00)[1]; BAD_REP_POLICIES(0.10)[]; RCVD_IN_DNSWL_NONE(0.00)[4.4.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Dec 2019 15:26:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ermzqeDQSJeJ4UDYy5FWzI7C2FtsHFwtt Content-Type: multipart/mixed; boundary="5YEV8D7W5kPlr7Szdf0OtVLR0YDx3F0rC"; protected-headers="v1" From: Kajetan Staszkiewicz To: freebsd-net@freebsd.org Message-ID: Subject: Re: IPSec transport mode, mtu, fragmentation... References: <20191220152314.GA55278@admin.sibptus.ru> In-Reply-To: <20191220152314.GA55278@admin.sibptus.ru> --5YEV8D7W5kPlr7Szdf0OtVLR0YDx3F0rC Content-Type: text/plain; charset=windows-1252 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 20.12.19 16:23, Victor Sudakov wrote: > Dear Colleagues, >=20 > I've set up IPSec in transport mode between two regular FreeBSD hosts, > for testing. Now TCP sessions between those hosts don't work normally > any more. For example, scp is stalled almost immediately after starting= > a file transfer, and so is interactive ssh eventually. >=20 > I feel that the problem is somehow related to MTU, MSS and fragmentatio= n > of ESP packets, because: >=20 > 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all > right.=20 >=20 > 2. When IPSec is enabled, the maximum packet size I've been able to sen= d > through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappear= s > in the void). >=20 > I'm really at a loss what to do about that. In transport mode, there is= > no network interface I could adjust MTU on, or run some kind of MSS > fixer. Maybe you could add route to the remote host with -mtu parameter. I've never tested this because I have interfaces (either if_ipsec of if_gif protected with transport mode IPSec) and I do mss clamping in pf, but this could work. --=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --5YEV8D7W5kPlr7Szdf0OtVLR0YDx3F0rC-- --ermzqeDQSJeJ4UDYy5FWzI7C2FtsHFwtt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXfzoIQAKCRDjtFCvbXs6 FHzYAJ0WHM1BxFH/vqDMdNNOflw/QYtwfgCgwFKkVCdh4fMFfxB+PdpXRztkhyA= =Qhp0 -----END PGP SIGNATURE----- --ermzqeDQSJeJ4UDYy5FWzI7C2FtsHFwtt--