From owner-freebsd-net@FreeBSD.ORG Wed Jan 21 14:16:26 2015 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 309B4BF for ; Wed, 21 Jan 2015 14:16:26 +0000 (UTC) Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C9DBC83F for ; Wed, 21 Jan 2015 14:16:25 +0000 (UTC) Received: by mail-we0-f175.google.com with SMTP id k11so43393474wes.6 for ; Wed, 21 Jan 2015 06:16:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=VvT+Ozre3sLuY1DDevVqbYqulbhvVBQA0vu3oU0O00I=; b=ZlB3V0mPfKcOeUC8WWxRPscJbdjJv8HRweCWEcQeOff3zuoumGa8DtwWBlN3dxbUGG wNmj4MtPemqPSBmLGudm0ko5lmIvyW4C7OkSMAi8hIdoMGNM/ljqdzkxFcyeRt9GTM5k UWfwjwyrLVLx4VZa5Zh7rvKD+F/BlBTzM1q2/QpYlLpHtS2YZ6FeR0XMPccQNXIEaShP 93JZk7wSn2TGkbMQQvWr0BJ+NFak5AHUcFTARdA6qPVocVUemQoi8vUdfclvtZHCekdk LNqS8F8waCMxh8336c0oql9HzteDDdR6nZM8azfa1NLFFaRj0Jhl75UnLSW2odQTHCWG 8Aow== X-Received: by 10.180.104.9 with SMTP id ga9mr58211985wib.9.1421849782907; Wed, 21 Jan 2015 06:16:22 -0800 (PST) Received: from t510.bsoft-company.ro (ip5450aabf.adsl-surfen.hetnet.nl. [84.80.170.191]) by mx.google.com with ESMTPSA id dv9sm7460056wib.14.2015.01.21.06.16.22 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Jan 2015 06:16:22 -0800 (PST) Message-ID: <54BFB4B5.3070705@gmail.com> Date: Wed, 21 Jan 2015 15:16:21 +0100 From: Andrei Brezan User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: net@freebsd.org Subject: IPSEC MTU routing issue Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2015 14:16:26 -0000 Weird subject, maybe. I'm running FreeBSD-10.0-RELEASE with PF as firewall and racoon for IPSEC. The IPSEC tunnel is between the FreeBSD box and a Fortinet appliance. The IPSEC tunnel comes up and on a quick test it seems to be working, icmp between networks is ok, you can successfully telnet on services on the other side. However when you need to transfer some data strange things happen. I'm really trying to wrap my head around it and I still don't understand why it happens (http://pastebin.com/NAspcM9w). The packets smaller than 1260 and larger than 1417 are delivered to vlan103, the ones in between are not. If anyone has any idea why this might happen please shed some light. # tcpdump -nttti gif0 00:00:00.000000 IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id 21034, seq 1, length 1108 00:00:43.603248 IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id 22826, seq 1, length 1308 # tcpdump -nttti enc0 00:00:00.000000 (authentic,confidential): SPI 0x0d06e35d: IP 109.235.79.81 > 193.239.202.174: IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id 21034, seq 1, length 1108 (ipip-proto-4) 00:00:00.000139 (authentic,confidential): SPI 0x86741d6b: IP "e.f.g.h" > "a.b.c.d": ICMP echo reply, id 21034, seq 1, length 1108 00:00:00.000006 (authentic,confidential): SPI 0x86741d6b: IP 193.239.202.174 > 109.235.79.81: IP "e.f.g.h" > "a.b.c.d": ICMP echo reply, id 21034, seq 1, length 1108 (ipip-proto-4) 00:00:43.603102 (authentic,confidential): SPI 0x0d06e35d: IP 109.235.79.81 > 193.239.202.174: IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id 22826, seq 1, length 1308 (ipip-proto-4) # tcpdump -nttti vlan103 host "a.b.c.d" 00:00:00.000000 IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id 21034, seq 1, length 1108 00:00:00.000109 IP "e.f.g.h" > "a.b.c.d": ICMP echo reply, id 21034, seq 1, length 1108 Thanks, -- Andrei