Date: Thu, 20 Oct 2005 23:47:27 +0100 From: Volker <volker@vwsoft.com> To: freebsd-net@freebsd.org Subject: Re: IPSec session stalls Message-ID: <43581E7F.5080305@vwsoft.com> In-Reply-To: <4358082A.4060409@vwsoft.com> References: <4358082A.4060409@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hmm, I hate replying to myself....
I've just checked another thing:
When disabling pf on both IPSec endpoints (even large) file transfer
works fine.
I'm using pf and altq with cbq.
Removing the pf 'scrub' rules didn't solve it. In the firewall I'll let
gif traffic pass with rules like:
pass quick on $if_ext proto { ah, esp } from <ipsec_vpn> to any keep
state queue q_h1
pass quick on $if_ext proto { ah, esp } from any to <ipsec_vpn> keep
state queue q_h1
pass quick on $if_ext proto ipencap from <ipsec_vpn> to any keep state
pass quick on $if_ext proto ipencap from any to <ipsec_vpn> keep state
I guess as all works fine while pf is disabled this is an pf issue, right?
Thanks,
Volker
On 2005-10-20 22:12, Volker wrote:
> Hi!
>
> A few days ago I've managed to setup two IPSec tunnels (3 machines
> involved) between FreeBSD 5.4R hosts.
>
> While I do not fully understand all the options and knobs of IPSec, it
> was easy to setup (thanks to the handbook guys!).
>
> As the tunnels work properly in the first place, there's one issue (on
> both tunnels). Whenever there's a large amount of traffic per tcp or udp
> session, the tcp or udp session stalls.
>
> For example, I've tried to scp a 1.4M file through one of these tunnels,
> scp starts to transfer the file and stalls exactly at 49152 bytes being
> transfered. PcAnywhere (using udp) sessions going through the tunnel
> work for a few minutes and then the PcAw connection breaks between host
> and remote. I guess both issues are equal as it generates a lot of
> traffic in the tunnel.
>
> The tunnel itself seems to be stable. I've tried to scp a huge file and
> ping'ed the other host in another session and no packet loss did appear.
>
> what I did:
>
> - gif tunnel created on both sides
> - spd policies setup to encrypt (ipencap) traffic between both machines
> (in + out)
> - racoon installed and key timelife set to 1 hour
> - route set into the tunnel
>
> The racoon debug output did not show anything which would lead me to an
> issue with racoon.
>
> Where do I have to look for? How do I debug this problem? Did anybody
> experience similar problems?
>
> Thanks,
>
> Volker
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43581E7F.5080305>