From owner-freebsd-questions@FreeBSD.ORG Mon Jun 5 14:44:45 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2F1B16ABD3 for ; Mon, 5 Jun 2006 14:44:44 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from corellia.vindaloo.com (corellia.vindaloo.com [64.51.148.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED07843D49 for ; Mon, 5 Jun 2006 14:44:43 +0000 (GMT) (envelope-from chris@vindaloo.com) Received: from yavin.vindaloo.com (yavin.vindaloo.com [172.24.144.34]) by corellia.vindaloo.com (Postfix) with ESMTP id 00AF55C43 for ; Mon, 5 Jun 2006 10:44:34 -0400 (EDT) Received: from dagobah.vindaloo.com (vpn-03.vindaloo.com [172.24.144.67]) by yavin.vindaloo.com (Postfix) with ESMTP id 20C7C24EB8; Mon, 5 Jun 2006 10:44:40 -0400 (EDT) Received: from dagobah.vindaloo.com (localhost [127.0.0.1]) by dagobah.vindaloo.com (8.13.4/8.13.4) with ESMTP id k553BgQo001211; Sun, 4 Jun 2006 23:11:42 -0400 (EDT) (envelope-from chris@dagobah.vindaloo.com) Received: (from chris@localhost) by dagobah.vindaloo.com (8.13.4/8.13.4/Submit) id k553Bgf2001210; Sun, 4 Jun 2006 23:11:42 -0400 (EDT) (envelope-from chris) Date: Sun, 4 Jun 2006 23:11:41 -0400 From: Christopher Sean Hilton To: freebsd-questions@freebsd.org Message-ID: <20060605031141.GA1048@dagobah.vindaloo.com> References: <44832827.7030403@FreeBSD.org> <44832BBC.2070600@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44832BBC.2070600@FreeBSD.org> User-Agent: Mutt/1.4.2.1i Subject: IPSec tcp session stalling X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jun 2006 14:44:51 -0000 I'm having a problem with aFreeBSD workstation that tried to connect to a remote VPN via an IPSec tunnel. Here's my setup: A FreeBSD workstation: W An OpenBSD router: LR And another OpenBSD router: RR A remote FreeBSD server: S LR and RR are connected via an IPSec tunnel. W shares the local ethernet with LR and LR is W's default gateway. S shares the remote ethernet with RR and RR is S's default gateway. The problem comes when I use scp. If I try to send a file bigger than 1400 bytes or so from W to S or vice versa the connection stalls and I seem to be left waiting for Godot. If I tcpdump the connection I see that when sending a file from W to S, LR sends W an ICMP message which states that the last tcp packet was too large and it should change it's MTU. But the connection stalls right there. I noticed that OpenBSD has a flag on scrub rules called no-df which strips the Don't Fragment flag from the packet. Turning this bit on fixes the problem. I'm wondering why FreeBSD doesn't send anything after it gets the ICMP message which states that it needs to change it's mtu for that connection? -- Chris -- Chris Hilton chris-at-vindaloo-dot-com ------------------------------------------------------------------------ "All I was doing was trying to get home from work!" -- Rosa Parks