From owner-freebsd-net@FreeBSD.ORG Tue Apr 15 04:15:02 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 21DFB7AD for ; Tue, 15 Apr 2014 04:15:02 +0000 (UTC) Received: from elf.hq.norma.perm.ru (mail.norma.perm.ru [IPv6:2001:470:1f09:14c0::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail.norma.perm.ru", Issuer "Norma UNIX CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 689CC1451 for ; Tue, 15 Apr 2014 04:15:00 +0000 (UTC) Received: from bsdrookie.norma.com. (bsdrookie.norma.com [192.168.7.224]) by elf.hq.norma.perm.ru (8.14.5/8.14.5) with ESMTP id s3F4Esj3091468 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 15 Apr 2014 10:14:55 +0600 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <534CB23E.8060304@norma.perm.ru> Date: Tue, 15 Apr 2014 10:14:54 +0600 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: Racoon/IPSEC Tunnel in 9.2 vs 10.0 References: <5345AA7C.3050700@soliddataservices.com> In-Reply-To: <5345AA7C.3050700@soliddataservices.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (elf.hq.norma.perm.ru [192.168.3.10]); Tue, 15 Apr 2014 10:14:55 +0600 (YEKT) X-Spam-Status: No hits=-101.0 bayes=0.5 testhits ALL_TRUSTED=-1, USER_IN_WHITELIST=-100 autolearn=unavailable version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on elf.hq.norma.perm.ru X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 04:15:02 -0000 Hi. On 10.04.2014 02:15, Matt Lager wrote: > I have used IPSEC tunnels w/ racoon to establish point to point VPN > connections for a long time, with great success. I recently decided to > upgrade one of my endpoints to 10.0-RELEASE from 9.2-RELEASE-p3. I > didn't do an upgrade but did a fresh installation of 10.0-RELEASE, but > applied the identical VPN configuration that was working in > 9.2-RELEASE-p3. The tunnels came up fine, and setkey -D shows that > keys had been generated, connectivity appeared to be working at first > glance. I then started to work as normal through my VPN with things > like RDP, SQL Server, and other protocols, where I found that > connectivity started then came to a dead halt (not ICMP, which always > works fine). I did another fresh install of 9.2-RELEASE-p3, applied > the config, and everything worked as expected. > > I've read a lot about MTU's and fragmented traffic, but I'm trying to > figure out where I should be looking to fix things up. Something > obviously changed. I do use PF, and I know PF underwent some big > changes, so maybe it's a PF problem, but I thought I'd post here > first. I'm using the same PF config on the 10.0 system as I did on the > 9.2, of course making sure interfaces were all named properly and > whatnot. > > Any advice would be appreciated. Thanks! > I'm using FreeBSD on a variety of VPN/ipsec links. Nothing really changed in 10.x. In fact, I've skipped the 9.x branch entirely, because it has been worst release over many years. You should really investigate the problem, since it looks like it has nothing to do with the versining. As a wild guess I can assume you have FLOWTABLE in your kernel; if I'm right you should get rid of it. Eugene.