From owner-freebsd-net@FreeBSD.ORG  Fri Oct 21 07:10:47 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7FE4A16A41F
	for <freebsd-net@freebsd.org>; Fri, 21 Oct 2005 07:10:47 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from corwin.easynet.fr (smarthost168.mail.easynet.fr [212.180.1.168])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 23A2143D46
	for <freebsd-net@freebsd.org>; Fri, 21 Oct 2005 07:10:46 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233]
	helo=smtp.zeninc.net) by corwin.easynet.fr with esmtp (Exim 4.50)
	id 1ESr36-0005oX-Tp
	for freebsd-net@freebsd.org; Fri, 21 Oct 2005 09:10:45 +0200
Received: by smtp.zeninc.net (smtpd, from userid 1000)
	id B36913F17; Fri, 21 Oct 2005 09:10:39 +0200 (CEST)
Date: Fri, 21 Oct 2005 09:10:39 +0200
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-net@freebsd.org
Message-ID: <20051021071039.GA1876@zen.inc>
References: <4358082A.4060409@vwsoft.com> <43581E7F.5080305@vwsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <43581E7F.5080305@vwsoft.com>
User-Agent: All mail clients suck. This one just sucks less.
Subject: Re:  IPSec session stalls
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2005 07:10:47 -0000

On Thu, Oct 20, 2005 at 11:47:27PM +0100, Volker wrote:
> hmm, I hate replying to myself....

:-)

[rules]
> I guess as all works fine while pf is disabled this is an pf issue, right?

Not sure: what you described in your first mail also looks like a
"basic" fragmentation problem, which can be easily solved by
decreasing MTU on traffic endpoints (you can also play with TCPMSS on
one gate, but this will only solve TCP problems...).

The pf interaction may only be a side effect of a fragmentation
problem.



Yvan.

-- 
NETASQ - Secure Internet Connectivity
http://www.netasq.com