more on IPSec + gif stalling

Volker volker at vwsoft.com
Mon Oct 24 15:23:58 PDT 2005 

Hi guys!

I've done another test on the IPSec + gif issue.

Here at my home network I'm running a RELENG_6 box and I've also just
setup a 2nd test server (RELEASE_5_4).

Both are connected by a direct 100 MBit/s LAN connection.

Set up IPSec rules for both machines, created a gif tunnel between both
and send traffic through the tunnel and the result is the same. As soon
as some
amount of data (somewhat around 56k to 64k) has been transferred through
the gif tunnel, the transfer session stalls.

When not using a gif tunnel over IPSec, everything is fine.

This means:
IPSec + gif + firewall (pf) = tcp sessions within the gif tunnel stalls
IPSec + gif - firewall = just works
IPSec - gif + firewall = just works
-IPSec + gif + firewall = just works

In my test scenario I've secured the outside of the gif tunnel by IPSec.
I haven't checked what happens when the inside of the gif tunnel is
being secured by IPSec. Also I've checked with both kernel options IPSEC
and FAST_IPSEC. It didn't make a difference.

I've checked the inside of the gif tunnel and the outside for suspicious
packets but couldn't find one.

I've checked for IPSec tunnel mode and transport mode and as soon as I'm
using a gif tunnel, a data session running inside the gif tunnel dies
sooner or later (transport/tunnel does not make any difference to this
issue). When disabling the firewall (pf) at the __senders' side__
(important!)  the data transfer does not stall.

Nothing is being blocked by the firewall (tripple checked). It's not
just pf as ipfw is being reported to the same effect. pf 'scrub' rules
doesn't make any difference (tested with and without scrubbing).

Really, I don't believe this is an MTU issue. In my test scenario I've
two hosts directly connected via ethernet (100BaseT), MTU = 1500, gif
MTU = 1280, no router between.

If somebody else is using a gif tunnel over IPSec on a recent release
(RELENG_5/6,
RELEASE_5_x) plus firewall, please provide me (by private email) with
your kernel
config, racoon.conf and your ipsec rules. That way I might check out
different kernel settings and test that out here using my test setup.

When talking about 'tcp session within the gif tunnel': I haven't
checked if this also happens to udp. I've checked tcp sessions through
the gif tunnel by scp and a plain ascii transfer by using (g)netcat.

Matthew and me have dealt out to test an IPSec + gif setup over the
public internet one more time. I bet this will show the stalling, too.

bye,

Volker

More information about the freebsd-net mailing list