From owner-freebsd-net@FreeBSD.ORG  Fri Oct 24 08:27:53 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7ED6D16A4B3
	for <freebsd-net@FreeBSD.org>; Fri, 24 Oct 2003 08:27:53 -0700 (PDT)
Received: from math.teaser.net (math.teaser.net [213.91.2.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4B50A43F3F
	for <freebsd-net@FreeBSD.org>; Fri, 24 Oct 2003 08:27:52 -0700 (PDT)
	(envelope-from e-masson@kisoft-services.com)
Received: from t39bsdems.interne.kisoft-services.com
	(nantes.kisoft-services.com [193.56.60.243])
	by math.teaser.net (Postfix) with ESMTP id 696D96C810
	for <freebsd-net@FreeBSD.org>; Fri, 24 Oct 2003 17:27:51 +0200 (CEST)
Received: by t39bsdems.interne.kisoft-services.com (Postfix, from userid 1001)
	id A8A4A5B375; Fri, 24 Oct 2003 17:26:49 +0200 (CEST)
To: Mailing List FreeBSD Network <freebsd-net@FreeBSD.org>
From: Eric Masson <e-masson@kisoft-services.com>
X-Operating-System: FreeBSD 4.9-PRERELEASE i386
Date: Fri, 24 Oct 2003 17:26:49 +0200
Message-ID: <8665iehd1i.fsf@t39bsdems.interne.kisoft-services.com>
User-Agent: Gnus/5.1003 (Gnus v5.10.3) XEmacs/21.4 (Portable Code,
 berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Subject: ipsec tunnels & packet length issues
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2003 15:27:53 -0000

Hello,

I'm facing a problem with the following setup :

                    +-----------------+ DMZ +----+ LAN +------+
  Internet ---------+ Tunnel Endpoint +-----+ Fw +-----+ Host |
                    +-----------------+     +----+     +------+

"Tunnel Endpoint" : FreeBSD 4.8-RELEASE with fastipsec on a NET4801
"Fw"              : Firewall 1
"Host"            : Any host (tested with FreeBSD 5.1-CURRENT, Linux
                    RH9)

When I'm connecting to "Host" in "Lan" from a box connected to the other
end of a tunnel managed by "Tunnel Endpoint", the following happens :
- back traffic is composed of small sized packets, everything works fine
- back traffic is composed of packets Lan mtu sized, connexion freezes.

>From a tcpdump on the dmz interface of "Tunnel Endpoint", traffic from
"Host" comes fine.

Traffic on "Internet" interface differs depending on the size of packets
coming from "Host" :
- small sized packets : ESP tunnel packets with correct SPI flows out
- Lan mtu sized packets : ESP tunnel packets frags 

If i reduce  lan interface mtu on "Host" to approximately 1450, the
tunnel works fine, so it seems that "Tunnel Endpoint" can't process
correctly packets with a size of 1500 bytes.

If more information regarding this issue is needed, just ask.

Is this a known issue ?

Except playing with mtu, is there a fix ?

TIA

Regards

Eric Masson

-- 
 Attention tous message a l'encontre d'un usager de mediabarre sera
 signalé aux autoriter compétente
 -+- Crétin in <http://www.le-gnu.net> : Con pas pétant signalé.