IPSEC MTU routing issue
Andrei Brezan
andrei693 at gmail.com
Wed Jan 21 14:16:26 UTC 2015
Weird subject, maybe.
I'm running FreeBSD-10.0-RELEASE with PF as firewall and racoon for
IPSEC. The IPSEC tunnel is between the FreeBSD box and a Fortinet appliance.
The IPSEC tunnel comes up and on a quick test it seems to be working,
icmp between networks is ok, you can successfully telnet on services on
the other side. However when you need to transfer some data strange
things happen. I'm really trying to wrap my head around it and I still
don't understand why it happens (http://pastebin.com/NAspcM9w). The
packets smaller than 1260 and larger than 1417 are delivered to vlan103,
the ones in between are not.
If anyone has any idea why this might happen please shed some light.
# tcpdump -nttti gif0
00:00:00.000000 IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id 21034,
seq 1, length 1108
00:00:43.603248 IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id 22826,
seq 1, length 1308
# tcpdump -nttti enc0
00:00:00.000000 (authentic,confidential): SPI 0x0d06e35d: IP
109.235.79.81 > 193.239.202.174: IP "a.b.c.d" > "e.f.g.h": ICMP echo
request, id 21034, seq 1, length 1108 (ipip-proto-4)
00:00:00.000139 (authentic,confidential): SPI 0x86741d6b: IP "e.f.g.h" >
"a.b.c.d": ICMP echo reply, id 21034, seq 1, length 1108
00:00:00.000006 (authentic,confidential): SPI 0x86741d6b: IP
193.239.202.174 > 109.235.79.81: IP "e.f.g.h" > "a.b.c.d": ICMP echo
reply, id 21034, seq 1, length 1108 (ipip-proto-4)
00:00:43.603102 (authentic,confidential): SPI 0x0d06e35d: IP
109.235.79.81 > 193.239.202.174: IP "a.b.c.d" > "e.f.g.h": ICMP echo
request, id 22826, seq 1, length 1308 (ipip-proto-4)
# tcpdump -nttti vlan103 host "a.b.c.d"
00:00:00.000000 IP "a.b.c.d" > "e.f.g.h": ICMP echo request, id 21034,
seq 1, length 1108
00:00:00.000109 IP "e.f.g.h" > "a.b.c.d": ICMP echo reply, id 21034, seq
1, length 1108
Thanks,
--
Andrei
More information about the freebsd-net
mailing list