Date: Thu, 16 Jan 2020 17:30:59 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org Cc: Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <d6415188-34f3-4451-dee8-39bd9245bf1a@yandex.ru> In-Reply-To: <d263a709-63cf-7da5-1747-8a6791f6503f@grosbein.net> References: <20191220152314.GA55278@admin.sibptus.ru> <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru> <f9b7357e-ced1-4ce5-40d5-8e3dcad42442@yandex.ru> <d263a709-63cf-7da5-1747-8a6791f6503f@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --wByn78GEMizZ8jVshN98zBqvkVx2Rrdp6 Content-Type: multipart/mixed; boundary="5xIqNMgNJ6JapmsPLLedZFI5yWBwH6Otj"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org Cc: Michael Tuexen <tuexen@freebsd.org> Message-ID: <d6415188-34f3-4451-dee8-39bd9245bf1a@yandex.ru> Subject: Re: IPSec transport mode, mtu, fragmentation... References: <20191220152314.GA55278@admin.sibptus.ru> <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru> <f9b7357e-ced1-4ce5-40d5-8e3dcad42442@yandex.ru> <d263a709-63cf-7da5-1747-8a6791f6503f@grosbein.net> In-Reply-To: <d263a709-63cf-7da5-1747-8a6791f6503f@grosbein.net> --5xIqNMgNJ6JapmsPLLedZFI5yWBwH6Otj Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 16.01.2020 17:24, Eugene Grosbein wrote: > 16.01.2020 20:39, Andrey V. Elsukov wrote: >=20 >> I prepared the PoC patch that should fix the problem with TCP and >> transport mode IPsec. But I have not free time currently to properly >> test and debug it. It is only compile-tested. But If you want, you can= >> try :) >> Currently only IPv4 support is implemented. >> >> https://people.freebsd.org/~ae/ipsec_transport_mode_ctlinput.diff >=20 > In fact, I've faced this problem long time ago too and I work around it= with different approaches > like "ipfw tcp-setmss" (MSS adjust) or by using IPSec transport mode > with gif(4) interface removing DF bit out of encapsulated packets. >=20 > I was going to test your patch with my home router but the patch does n= ot apply to stable/11, at all. > Do you have time to adjust it to stable/11 ? I tried apply the patch with `svn patch` and it applies cleanly. The only needed change is moving `#include ipsec_support.h` to the top of file. --=20 WBR, Andrey V. Elsukov --5xIqNMgNJ6JapmsPLLedZFI5yWBwH6Otj-- --wByn78GEMizZ8jVshN98zBqvkVx2Rrdp6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4gc6QACgkQAcXqBBDI oXonFAgAkfk26mp9Ye/lsxX3r14FPNFlUSyaXlp/+fDtHP2T6S6GK5Cbhv2wvWcO 7SMoojU3WFLo8Wb8FnP0k66yCgZaKGTQqiPE8Z3B3pZJ3Oo8QS1L5wvG8Et+oHdG v9mESz95qN/R/7hZauKLs55qEtQbzdV7lJgZmnGLt7PQglpl79s1GZFb/YRD/sp4 p+wTix3HpjHLNMAgOSUju8NdX6F6R4ZFerSgCqEE1vdehDXaOPReN51alOt1arrx bVFRWIa5DVXJIlkOt+KJwZavB8eSXBwkwUhh6PPPcdq2X3NTyUZaC4btaErU4/hj HfswuYpWyeyRZaVhgaLICpupN1WGig== =b6mn -----END PGP SIGNATURE----- --wByn78GEMizZ8jVshN98zBqvkVx2Rrdp6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d6415188-34f3-4451-dee8-39bd9245bf1a>