From owner-freebsd-net@freebsd.org Fri Dec 20 16:56:18 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B2ED91DE514 for ; Fri, 20 Dec 2019 16:56:18 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47fZdZ027xz49bM for ; Fri, 20 Dec 2019 16:56:17 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=PgzQfd9EnK1AS2rJ+OHkWQ/WayKW0pWVxaamvhlprmE=; b=DOBntkQyOQpzzkgx7T5fFs/wtl Gn7dXXB2OsfUxTzHgnhJGKj/ht6Yj+UXTZ7fQfsPJPq/qeaiCdov72FGBytQ5m9cO2ust/6zkyXA6 VZ0DXxeYstyiZj5HYjr3vy2kHuVA2eQeYgbVa+qB8ukokLUbVp51IvtlUwby3BDUvjbU=; Received: from vas by admin.sibptus.ru with local (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1iiLZX-000Exa-W2 for freebsd-net@freebsd.org; Fri, 20 Dec 2019 23:56:15 +0700 Date: Fri, 20 Dec 2019 23:56:15 +0700 From: Victor Sudakov To: freebsd-net@freebsd.org Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <20191220165615.GA57281@admin.sibptus.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <20191220160357.GB56081@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline In-Reply-To: <20191220160357.GB56081@admin.sibptus.ru> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.2 (2019-09-21) X-Rspamd-Queue-Id: 47fZdZ027xz49bM X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=DOBntkQy; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-8.50 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-3.40)[ip: (-9.88), ipnet: 2001:19f0:5000::/38(-4.94), asn: 20473(-2.15), country: US(-0.05)]; DKIM_TRACE(0.00)[sibptus.ru:+]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Dec 2019 16:56:18 -0000 --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Victor Sudakov wrote: > Kajetan Staszkiewicz wrote: > > On 20.12.19 16:23, Victor Sudakov wrote: > > > Dear Colleagues, > > >=20 > > > I've set up IPSec in transport mode between two regular FreeBSD hosts, > > > for testing. Now TCP sessions between those hosts don't work normally > > > any more. For example, scp is stalled almost immediately after starti= ng > > > a file transfer, and so is interactive ssh eventually. > > >=20 > > > I feel that the problem is somehow related to MTU, MSS and fragmentat= ion > > > of ESP packets, because: > > >=20 > > > 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all > > > right.=20 > > >=20 > > > 2. When IPSec is enabled, the maximum packet size I've been able to s= end > > > through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappe= ars > > > in the void). > > >=20 > > > I'm really at a loss what to do about that. In transport mode, there = is > > > no network interface I could adjust MTU on, or run some kind of MSS > > > fixer. > >=20 > > Maybe you could add route to the remote host with -mtu parameter.=20 >=20 > Just tried "route add -host host-b -mtu 1400 gw". The route is there > with the right mtu (according to "route get host-b") but it did not > help. Probably the packet is intercepted by IPsec before it gets into > routing. Sorry, Kajetan, I was mistaken, your advice with a host route *does* work. It seems I was adding an IPv4 route but scp-ing over IPv6. Your workaround works, I confirm. >=20 > What gives? Setting up IPsec transport mode between hosts should be a > simple thing which *just* *works*. >=20 > What's the root of the problem? ESP packets cannot get fragmented or > what?=20 I need to figure out why IPsec tunnel mode is always generating ESP packets with the DF flag set. Therefore they just don't get through the interface and never leave the host. I cannot even "scrub out proto 50 no-df" them because they never go through any f*cking interface, that's what I think is happening. Don't tell me it's by design. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd/P0vAAoJEA2k8lmbXsY0PmUIAIux55inxVlCqd3d82yhOnRB xnMVeh8dtcbfUul9lYfefN1IciCCmjXEt8jmPWILuw/6edymyHt2b6RNg48M+n2d K9k6jwkC/KcjsHsszOsJpZvlRYzFn8Rf5ExmFz3AHH3VmLBMhS7TbiG3hwxttI/u PiUtOMC7rSP0H8cVaENAPe+gYc0P6ICz6XO4oM7YrspCrnshvo/MsejqkIdGafU8 jEQD2Nmtfyi6xTbBaAuYuZmbgi1SLP94NxP6W/UKxhFynCDqsxq/b3mcT8YxCyoQ 7u5Zux9PRCHs7PJfp+v1IxwDijWyZI2tcejgIMQG63s7zhyeeXEaWorBJ0zkZp4= =hZdq -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+--