From owner-freebsd-net@FreeBSD.ORG Tue Nov 9 11:05:55 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F252016A4CE for ; Tue, 9 Nov 2004 11:05:54 +0000 (GMT) Received: from mailbox.rainbownet.com (mailbox.rainbownet.com [213.174.191.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABBB943D46 for ; Tue, 9 Nov 2004 11:05:51 +0000 (GMT) (envelope-from aturetta@commit.it) Received: from 192.168.43.85 ([151.38.10.253]) (authenticated user aturetta@rainbownet.com) by rainbownet.com (mailbox.rainbownet.com [127.0.0.1]) (MDaemon.PRO.v6.8.5.R) with ESMTP id 23-md50000001046.tmp for ; Tue, 09 Nov 2004 12:04:49 +0100 Message-ID: <4190A452.1060303@commit.it> Date: Tue, 09 Nov 2004 12:04:50 +0100 From: Angelo Turetta User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Matthew T. Lager" References: <1903.24.25.209.32.1099792495.squirrel@24.25.209.32> In-Reply-To: <1903.24.25.209.32.1099792495.squirrel@24.25.209.32> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-Sender: aturetta@rainbownet.com X-Spam-Processed: mailbox.rainbownet.com, Tue, 09 Nov 2004 12:04:49 +0100 (not processed: message from valid local sender) X-MDRemoteIP: 151.38.10.253 X-Return-Path: aturetta@commit.it X-MDaemon-Deliver-To: freebsd-net@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: 5.3-RELEASE w/ IPSEC & RACOON X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Nov 2004 11:05:55 -0000 Matthew T. Lager wrote: > Using the same configuration in 5.3-*, the tunnel is still established and > simple traffic can be sent across the tunnel. When a sudden burst of > packets is sent through the tunnel, that particular connection completly > and permanantly freezes. An example of this is a simple SSH session to > another FreeBSD machine where a dmesg is issued. About 5 lines into the > dmesg, the connection freezes up. > > Does anyone have any ideas or information? Thanks in advance! > > Matt Lager I once have seen a similar problem, and after a lot of tcpdump I found something I don't know all the exact details about, but I'll try to explain in non-technical language :-(. Apparently, sometimes a TCP packet is so full that after adding the ESP headers it's length exceeds the MTU. The IPSEC layer should fragment it transparently, while the receiving side reassemble the pieces and normally nobody notices. In my case, the remote side was a commercial firewall which actually blocked the fragments, hanging the TCP connection. To solve the problem I had to MSS-CLAMP all the TCP trafic between the two subnets. I don't know what filters you may have between your two bridge-head servers, but I advice you to tcpdump on the external interfaces of both sides, looking for strange packets. Hope this helps, Angelo Turetta