From owner-freebsd-net@FreeBSD.ORG Thu Jan 29 09:48:22 2015 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C1BDAE09 for ; Thu, 29 Jan 2015 09:48:22 +0000 (UTC) Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3423DDDB for ; Thu, 29 Jan 2015 09:48:22 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id bs8so15045312wib.3 for ; Thu, 29 Jan 2015 01:48:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=ZVlSEHhp9oCBNn4l3fjN8iFlyRivtaJOkGP+oEeXcqc=; b=KYMwqjb+2ySDgDBxQNFAxx19OC65PrJ2rx2iIZl95LVhLfbvF8hFn5zZLGiYcgBrrw Un2Wj+6vBlXEqg8Z/0lUzn4smRKl4ErpEb1Yl9Mf6v5j5uOjBMSE7hRrxbc1692KikYb mpVJV4nkxh22UjrSBdf9hIikY3QwPibC+hAnwjdG9fA69ZDGjPEWAa0wJvkx5zewTTzQ KC7C+9OAFSjg9qUpato7lGp7Y0ZJdtCS1wCjqq20ByViOiG1KJz640MywCltTxc0QTvZ SBu//DLP5Mng2psQsYqsjgTG3Jdx8HUviR7TuAtQry9stwZjkd0pgQMWYTGQeNFoglp0 aNLg== X-Received: by 10.194.170.161 with SMTP id an1mr16031683wjc.126.1422524899207; Thu, 29 Jan 2015 01:48:19 -0800 (PST) Received: from t510.bsoft-company.ro (remote.ezwim.com. [193.239.202.173]) by mx.google.com with ESMTPSA id v7sm1729605wib.5.2015.01.29.01.48.18 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Jan 2015 01:48:18 -0800 (PST) Message-ID: <54CA01E2.2040404@gmail.com> Date: Thu, 29 Jan 2015 10:48:18 +0100 From: Andrei Brezan User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 Subject: Re: IPSEC MTU routing issue References: <54BFB4B5.3070705@gmail.com> <20150123141337.GA13989@zeninc.net> In-Reply-To: <20150123141337.GA13989@zeninc.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2015 09:48:22 -0000 On 01/23/15 15:13, VANHULLEBUS Yvan wrote: > Hi. > > On Wed, Jan 21, 2015 at 03:16:21PM +0100, Andrei Brezan wrote: >> Weird subject, maybe. >> >> I'm running FreeBSD-10.0-RELEASE with PF as firewall and racoon for >> IPSEC. The IPSEC tunnel is between the FreeBSD box and a Fortinet >> appliance. >> >> The IPSEC tunnel comes up and on a quick test it seems to be >> working, icmp between networks is ok, you can successfully telnet on >> services on the other side. However when you need to transfer some >> data strange things happen. I'm really trying to wrap my head around >> it and I still don't understand why it happens >> (http://pastebin.com/NAspcM9w). The packets smaller than 1260 and >> larger than 1417 are delivered to vlan103, the ones in between are >> not. > > I'm not sure why do you have this strange issue. > Having a look at your IPsec/ESP related kernel stats may give a first > idea. > > > But I know that, even if you find a fix for this, you'll have very > poor performances as soon as packets start to be fragmented, and your > data transferts may just stall forever. > > So, the usual way of solving that is to change the TCPMSS "low enough" > on the fly for all IPsec related trafic. > 1300 is a common value, low enough to avoid fragmentation, and high > enough to keep good throughput. > > Of course, this will only works for TCP, but most big packets / long > flows are done on TCP. > Thanks Yvan, The ICMP started working at some point, most likely when I changed something in my config or the other side did, wasn't able to identify it. I still had the issues specified in this thread https://forums.freebsd.org/threads/ipsec-racoon-gif-packet-routing-issues-transfer-stall-fail.50085/ I managed to resolve the problems with an update from Release 10.0 to 10.1 -- Andrei