Date: Sat, 22 Oct 2005 22:01:46 +0100 From: Volker <volker@vwsoft.com> To: Matthew Grooms <mgrooms@shrew.net> Cc: freebsd-net@freebsd.org Subject: Re: IPSec tcp session stalling ( me too ) ... Message-ID: <435AA8BA.6020808@vwsoft.com> In-Reply-To: <435A85F7.3000909@shrew.net> References: <435A85F7.3000909@shrew.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Matthew,
thanks for your reply. Glad to hear that I'm not the only one
experiencing this problem. So the problem is IPSec + firewall but not
related to pf or ipfw. Is it IPSec + bandwidth management??
I've tried a different test setup and just pushed a bunch of
(/dev/random) data over a tcp connection through the IPSec tunnel using:
%gnetcat 10.128.1.6 49001 /dev/random
at host B (10.128.6.1) and did
%netcat -l -p 49001 > netcat.out
on host A (10.128.1.6).
After the file 'netcat.out' reached the file size of 66.108 bytes
(around the same size as the scp transfer aborts every time) the tcp
stream has been closed with:
host B: write(net): Operation not permitted
host A: read(net): Connection reset by peer
I've managed to get a tcpdump of the gif interfaces on both hosts. Both
files are attached to this message (hostA.cap and hostB.cap). These
files viewed by ethereal gives a nice look at the tcp flow. There you
can see hostB sends three RST packets at the end (for whatever reason).
The only thing I've seen (looking a bit ugly) is that hostA answers
packets (ACK) before the data payload is being received. At least that's
the way tcpdump has seen these packets. That should be related to
priorisation of ACK packets using ALTQ.
Is anybody else here with deep TCP + IPSec knowledge able to get a look
into this? Any known issues? Is there anything I might also check out?
Is there a 64k limit with IPSec? :(
Thanks,
Volker
On 2005-10-22 19:33, Matthew Grooms wrote:
> Volker,
>
> I have noticed the same problem. In my case, it only seems to
> happen when the traffic is being forwarded across interfaces and pf or
> ipfw is enabled. I use purely IPSEC so I would agree that GRE isn't the
> problem. This behavior is 100% reproducible for me. If traffic is
> forwarded from the host providing the ESP protection or if the firewall
> package is disabled, the problem goes away.
>
> Just some data points. I don't recall seeing this ever happen on
> 4.x + ipfw. I experienced this on early 5.x + ipfw, late 5.x + pf and
> 6.x + pf. I believe the ipfw versions I tested were prior to the pfil
> hooks conversion.
>
> For example ...
>
> NODE 1 sftp client
> NODE 2 sftp server
> IPSEC policy requires ESP protection from NODE 1 or VPN A to NODE 2
>
> NODE 1 ------ VPN A ===== VPN B ----- NODE 2
>
> 1) NODE 1 <-> NODE 2 sftp via IPSEC pf enabled, traffic stalls
> 2) NODE 1 <-> NODE 2 sftp via IPSEC pf disabled, no problems
> 3) VPN A <-> NODE 2 sftp via IPSEC pf enabled, no problems
>
> NOTE : TCP protocol is irrelevant. Haven't tried UDP.
[-- Attachment #2 --]
��������`�������ZC*�D���D������E��@S��@
ṿipџ����[��
S����ZC&�D���D������E��@��@
ṿipџ����O��
����ZC͖�D���D������E��@
t��@A>
iṏpѠQ��
#
ZC�8���8������E��4<��@!
ṿipѠ��
'#ZC�`���8�����E�4%��@5
ṿipѠG-��
(#
$ e!q-OǕ>4 K)y&2z4CC
y
ؘQZC�`��������E����@9
ṿipՠU��
(#aifd6(jB*}ms&Ύ#PZC�`��������E��X��@!
ṿipl
j��
(#K,b/uY.{Ӓ0(<`.}r ݞnZCK�8���8������E��4.��@0
iṏpl
��
#
(ZCK�`��������E����@l
ṿip8 ��
V#Cţؾ
7tDZ/cC
Fd@1tZCL�`��������E��<��@
r
ṿipE��
V#�SEM)y/,r=5u%yW<w.K0ZC|`�8���8������E��4
1��@S
iṏp8��
#
(ZC`�`��������E����@7
ṿipЏF��
[#3ô[V2D~Ԛ
o
{
p|ͩn b~ZCqa�`��������E����@
ṿip휏��
[#fC+Kb%$~μ0
'tKB'ƮZC�8���8������E��4X��@e
iṏpЀ
J��
#
VZC�`��������E����@\
ṿiph��
#̆BJxVٻ8I-4I (g
̮ZC�`��������E��6��@#^
ṿip4ѐ��
#wr ;,MA( e+/z<`TZC�8���8������E��4@��@}
iṏp휀��
#
[ZC�`��������E��~��@
ṿip�a]��
#8VUFBxs8pԿն%aZCm�8���8������E��4��@K
iṏp4
��
#<
[ZC�`��������E����@S
ṿiq�̏H=��
#<
E儡lAʱeVsz
y#[z1ђZC_�`��������E����@4
ṿiqg��
#<p^WnW!l
j*fڔ?5%=͵X
CZC�8���8������E��4B8��@
iṏp�V��
#B
ZC�`��������E��ȓ��@^
ṿiq
dW��
#B@jdOyeŠ}G
^E
*ZC�`��������E�� ��@:o
ṿiq0>��
#B
TZqτ
)y! ԺY)϶흓ms}-ZCF�8���8������E��41��@
iṏq
x��
#e
ZCG�`��������E����@w
ṿiq��
#eܛG|+A!{{ߜWFXOZCG�`��������E����@%
ṿiqȏ/��
#e
\2nx]Di Dl_4f:O#dZC_[�8���8������E��4��@Ħ
iṏq
dq��
#k
ZC[�`��������E����@Tn
ṿiq
-��
#k/YS8ى՞ Nv5_
ڏZCą�8���8������E��4fR��@k
iṏq
j^��
#v
ZC�`��������E��j��@
ṿiq"`?��
#vui=3C6GEF
NjƷ.ZC�`��������E����@?
ṿiq',��
#vúI!{:'%i<,bμ:fWddqsZC �8���8������E��4DG��@w
iṏqȀb��
#
خZC>�`��������E��9��@
ṿiq+*��
#$
-?ep/
NEBL
3
QO[πDZCg �8���8������E��4��@
iṏq"`
[��
#
خZC �`��������E��Y��@�k
ṿiq0ď��
#
_A樬\EyMX챛Kc4]]Pge'#ZCW �`��������E����@J5
ṿiq5��
#hGs%^|)Yܚ`|*[HFЮZC( �8���8������E��4r,��@
iṏq',Ti��
#
讌ZC) �`��������E��6��@#S
ṿiq:\<��
#N7 ?_ʎ4ϸ ~FK"_ZC �8���8������E��4@��@[~
iṏq0Ā
M
��
#
讌ZC �`��������E����@@R
ṿiq?(b��
,#wxdP@
)v#D/cjO( ZC �`��������E����@Q
ṿiqC#��
,#F,$
luSk3
QQ`閅%_jZC
�8���8������E��4$f��@:X
iṏq5E��
#
ZC) �`��������E����@Ti
ṿiqH=
��
5#÷p_
8ԜHn\m�7J+SImkYZC �8���8������E��4
��@à
iṏq?(
>��
#
ZC �`��������E����@g
ṿiqM>��
@#]~I19`R Z#MX?:9/
ZC �`��������E����@Dc
ṿiqRX,i��
@#n|?`.Zp%5И:5`RgZC1
�8���8������E��4m]��@`
iṏqC7��
#
,ZC1
�`��������E��X��@
ṿiqW$
��
U#/
{eJl?~Lbdg
ZC\
�8���8������E��4\f��@X
iṏqM
/��
#
,ZC\
�`��������E����@G
ṿiq[& ��
`#;L8㙑#sc&<g2pI
gwd`))"ZC]
�`��������E����@'
ṿiq`��
a#xd%55Qw JwR=,u뭆xtZC[~
�8���8������E��4MO��@o
iṏqRX(��
#
@ZC{~
�`��������E����@`
ṿiqe)��
i#44"l+uK
MyP^Ψa+U{Y-ZC
�8���8������E��4
B��@Q|
iṏq[
!F��
#
@ZC
�`��������E����@m.
ṿiqjT��
~#
R�bZ]BNt OuuRw^2K;GZC
�`��������E��\��@
ṿiqo z��
#
zcZʗ=ie:e
:DUMOSQ̾>ZC
�8���8������E��4"��@Λ
iṏq`��
#
`ZC
�`��������E��2��@'l
ṿiqs쏮P��
#錗
E0~sRQR՜;ēN"K1֘ՁZC(
�8���8������E��4E-��@
iṏqjT
��
#"
aZC(
�`��������E����@
ṿiqx|��
#"thʪ[j"SG ⏭EQ27WZC)
�`��������E����@
ṿiq}��
#"ͤѰ#yV04pw`/ѡ7ðw~qZC*
�`��������E����@?
ṿiqPt��
#"m?Lye^eC,��կt./~(ZCMt
�8���8������E��4V��@g
iṏqo
I��
#6
~ZC
�8���8������E��4B5��@
iṏqx
��
#A
ZC
�`��������E����@
ṿiq
S��
#A/K1muVuO4R=Nrq_WY!}ZC
�`��������E����@FX
ṿiq菮+��
#A
ȀvV(?DN
h �4e
C!ZCo
�`��������E��{��@_
ṿiqfo��
#A'rW-yGFJȠQhu讌ZC
�8���8������E��4!H��@=v
iṏq}��
#L
ZC
�`��������E����@a
ṿiq:��
#L7n}2Q1+e֟
5T(7ZCO
�8���8������E��4s��@
iṏq
z��
#W
ZCk
�`��������E����@
ṿiqLȫ��
#WQS?! bKJ;TqU!Y,w
7z2w]!ZC>
�`��������E����@g
ṿiqȄ��
#WMt
fS|
`q7"ABPĉuꮌZC?
�8���8������E��4(��@
iṏq��
#j
ZC#?
�`��������E����@
ṿiq䏮��
#j[\ل f,*jqXe
`
BP]�][ZC*j
�8���8������E��4z��@~C
iṏq
��
#u
ZCEj
�`��������E��̰��@A
ṿiq#T��
#u|CJ"?l/V^8R@E@P3^W%
1r
ZCk
�`��������E��#��@6
ṿiq|v��
#u(|PJa
{f9R
.1o^Pu# -ZCn
�8���8������E��4
��@
iṏqLߗ��
#{
ZC
�`��������E��'��@2
ṿiqHF��
#{<c|<qԢ|&!d@b1y먮ZCS
�8���8������E��4S��@j
iṏq
O��
#
ɮZCo
�`��������E����@D
ṿiqk��
#L�.5Y
zj ɡ<`,S<7YOa?ZZCC
�`��������E��؆��@k
ṿiq��
#P
)9l
1ډ%Qe"H :S"
R �ZC
�8���8������E��4
��@
iṏq��
#
ܮZC
�`��������E��u��@1
ṿiq��
#$9V"EĿJؒ4
h#IC?٫ZCV
�8���8������E��4'��@
iṏqH
ɰ��
#
箌ZCt
�`��������E��=��@
O
ṿiqx��
#ć11z j]r
H
4=DU$|l
ZCK
�`��������E��)��@01
ṿiqD��
#bKʈ`1;t<F##
I*{00fZC5
�8���8������E��45��@z
iṏqr��
#
ZC5
�`��������E����@^0
ṿiq��
#$7a&q[QF/ޡ#Cmr>ZC
o
�8���8������E��4E��@x
iṏq
&��
#
ZC
�8���8������E��4)��@̔
iṏqx��
#
ZC&
�,���,������E��(=��@!
ṿiqx����P����ZC$
�8���8������E��4\��@a
iṏq
��
#
ZC4
�,���,������E��(_��@%
ṿiq����P��4��ZC
�8���8������E��4.d��@0Z
iṏq܀M��
#
ZC
�,���,������E��(��@
ṿiq����P��h��
[-- Attachment #3 --]
��������`�������ZC�D���D������E��@��@
ṿipџ����O��
����ZC
�D���D������E��@
t��@A>
iṏpѠQ��
#
ZCy�8���8������E��4<��@!
ṿipѠ��
'#ZCR�`���8�����E�4%��@5
ṿipѠG-��
(#
$ e!q-OǕ>4 K)y&2z4CC
y
ؘQZC+6�`��������E����@9
ṿipՠU��
(#aifd6(jB*}ms&Ύ#PZCD6�8���8������E��4.��@0
iṏpl
��
#
(ZC
L�`��������E��X��@!
ṿipl
j��
(#K,b/uY.{Ӓ0(<`.}r ݞnZCHL�8���8������E��4
1��@S
iṏp8��
#
(ZC-�`��������E����@l
ṿip8 ��
V#Cţؾ
7tDZ/cC
Fd@1tZC�`��������E��<��@
r
ṿipE��
V#�SEM)y/,r=5u%yW<w.K0ZC�8���8������E��4X��@e
iṏpЀ
J��
#
VZC
�`��������E����@7
ṿipЏF��
[#3ô[V2D~Ԛ
o
{
p|ͩn b~ZCQ�8���8������E��4@��@}
iṏp휀��
#
[ZC�`��������E����@
ṿip휏��
[#fC+Kb%$~μ0
'tKB'ZC+�`��������E����@\
ṿiph��
#̆BJxVٻ8I-4I (g
ZC;�8���8������E��4��@K
iṏp4
��
#<
[ZC �`��������E��6��@#^
ṿip4ѐ��
#wr ;,MA( e+/z<`TZC\�8���8������E��4B8��@
iṏp�V��
#B
ZC�`��������E��~��@
ṿip�a]��
#8VUFBxs8pԿն%aZC0�`��������E����@S
ṿiq�̏H=��
#<
E儡lAʱeVsz
y#[z1ђZC0�8���8������E��41��@
iṏq
x��
#e
ZCF�`��������E����@4
ṿiqg��
#<p^WnW!l
j*fڔ?5%=͵X
CZCF�8���8������E��4��@Ħ
iṏq
dq��
#k
ZC"\�`��������E��ȓ��@^
ṿiq
dW��
#B@jdOyeŠ}G
^E
*ZCq�`��������E�� ��@:o
ṿiq0>��
#B
TZqτ
)y! ԺY)϶흓ms}-ZCq�8���8������E��4fR��@k
iṏq
j^��
#v
ZC�`��������E����@w
ṿiq��
#eܛG|+A!{{ߜWFXOZC�8���8������E��4DG��@w
iṏqȀb��
#
ZC�`��������E����@%
ṿiqȏ/��
#e
\2nx]Di Dl_4f:O#dZC�`��������E����@Tn
ṿiq
-��
#k/YS8ى՞ Nv5_
ڏZC�8���8������E��4��@
iṏq"`
[��
#
ZC�`��������E��j��@
ṿiq"`?��
#vui=3C6GEF
NjƷ.ZC�8���8������E��4r,��@
iṏq',Ti��
#
ZC*�`��������E����@?
ṿiq',��
#vúI!{:'%i<,bμ:fWddqsZC|�`��������E��9��@
ṿiq+*��
#$
-?ep/
NEBL
3
QO[πDZC|�8���8������E��4@��@[~
iṏq0Ā
M
��
#
ZC2�`��������E��Y��@�k
ṿiq0ď��
#
_A樬\EyMX챛Kc4]]Pge'#ZCh�8���8������E��4$f��@:X
iṏq5E��
#
ZC�`��������E����@J5
ṿiq5��
#hGs%^|)Yܚ`|*[HFZC�`��������E��6��@#S
ṿiq:\<��
#N7 ?_ʎ4ϸ ~FK"_ZC�8���8������E��4
��@à
iṏq?(
>��
#
ZC
�`��������E����@@R
ṿiq?(b��
,#wxdP@
)v#D/cjO( ZCU
�8���8������E��4m]��@`
iṏqC7��
#
,ZC2�`��������E����@Q
ṿiqC#��
,#F,$
luSk3
QQ`閅%_jZC
H�`��������E����@Ti
ṿiqH=
��
5#÷p_
8ԜHn\m�7J+SImkYZCH�8���8������E��4\f��@X
iṏqM
/��
#
,ZC5j�`��������E����@g
ṿiqM>��
@#]~I19`R Z#MX?:9/
ZC^j�8���8������E��4MO��@o
iṏqRX(��
#
@ZC+�`��������E����@Dc
ṿiqRX,i��
@#n|?`.Zp%5И:5`RgZC)�`��������E��X��@
ṿiqW$
��
U#/
{eJl?~Lbdg
ZC:�8���8������E��4
B��@Q|
iṏq[
!F��
#
@ZC�`��������E����@G
ṿiq[& ��
`#;L8㙑#sc&<g2pI
gwd`))"ZC�8���8������E��4"��@Λ
iṏq`��
#
`ZC�`��������E����@'
ṿiq`��
a#xd%55Qw JwR=,u뭆xtZC�`��������E����@`
ṿiqe)��
i#44"l+uK
MyP^Ψa+U{Y-ZC�8���8������E��4E-��@
iṏqjT
��
#"
aZC1_�`��������E����@m.
ṿiqjT��
~#
R�bZ]BNt OuuRw^2K;GZC[_�8���8������E��4V��@g
iṏqo
I��
#6
~ZC%u�`��������E��\��@
ṿiqo z��
#
zcZʗ=ie:e
:DUMOSQ̾>ZC�`��������E��2��@'l
ṿiqs쏮P��
#錗
E0~sRQR՜;ēN"K1֘ՁZC�8���8������E��4B5��@
iṏqx
��
#A
ZC�`��������E����@
ṿiqx|��
#"thʪ[j"SG ⏭EQ27WZCI�8���8������E��4!H��@=v
iṏq}��
#L
ZC�`��������E����@
ṿiq}��
#"ͤѰ#yV04pw`/ѡ7ðw~qZC�`��������E����@?
ṿiqPt��
#"m?Lye^eC,��կt./~(ZC�8���8������E��4s��@
iṏq
z��
#W
ZC* �`��������E����@
ṿiq
S��
#A/K1muVuO4R=Nrq_WY!}ZC* �8���8������E��4(��@
iṏq��
#j
ZC@ �`��������E����@FX
ṿiq菮+��
#A
ȀvV(?DN
h �4e
C!ZC
V �`��������E��{��@_
ṿiqfo��
#A'rW-yGFJȠQhuZC0V �8���8������E��4z��@~C
iṏq
��
#u
ZCl �`��������E����@a
ṿiq:��
#L7n}2Q1+e֟
5T(7ZCFl �8���8������E��4
��@
iṏqLߗ��
#{
ZC �`��������E����@
ṿiqLȫ��
#WQS?! bKJ;TqU!Y,w
7z2w]!ZC �`��������E����@g
ṿiqȄ��
#WMt
fS|
`q7"ABPĉuZC �8���8������E��4S��@j
iṏq
O��
#
ZC �`��������E����@
ṿiq䏮��
#j[\ل f,*jqXe
`
BP]�][ZC �8���8������E��4
��@
iṏq��
#
ZC0 �`��������E��̰��@A
ṿiq#T��
#u|CJ"?l/V^8R@E@P3^W%
1r
ZC
�`��������E��#��@6
ṿiq|v��
#u(|PJa
{f9R
.1o^Pu# -ZC
�8���8������E��4'��@
iṏqH
ɰ��
#
ZC!
�`��������E��'��@2
ṿiqHF��
#{<c|<qԢ|&!d@b1yZC!
�8���8������E��45��@z
iṏqr��
#
ZCD
�`��������E����@D
ṿiqk��
#L�.5Y
zj ɡ<`,S<7YOa?ZZCZ
�`��������E��؆��@k
ṿiq��
#P
)9l
1ډ%Qe"H :S"
R �ZCZ
�8���8������E��4E��@x
iṏq
&��
#
ZC0p
�`��������E��u��@1
ṿiq��
#$9V"EĿJؒ4
h#IC?٫ZCgp
�8���8������E��4)��@̔
iṏqx��
#
ZC
�`��������E��=��@
O
ṿiqx��
#ć11z j]r
H
4=DU$|l
ZC2
�`��������E��)��@01
ṿiqD��
#bKʈ`1;t<F##
I*{00fZCC
�8���8������E��4\��@a
iṏq
��
#
ZC-
�`��������E����@^0
ṿiq��
#$7a&q[QF/ޡ#Cmr>ZCk
�8���8������E��4.d��@0Z
iṏq܀M��
#
ZC
�,���,������E��(=��@!
ṿiqx����P����ZC&/
�,���,������E��(_��@%
ṿiq����P��4��ZCG
�,���,������E��(��@
ṿiq����P��h��
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?435AA8BA.6020808>