[Bug 242744] IPSec in transport mode between FreeBSD hosts blackholes TCP traffic
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Dec 20 18:41:02 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242744
Bug ID: 242744
Summary: IPSec in transport mode between FreeBSD hosts
blackholes TCP traffic
Product: Base System
Version: 12.1-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: vas at sibptus.ru
When you configure transport mode IPSec between two FreeBSD hosts (no tunnels
or if_ipsec), TCP connectivity between those hosts breaks. It happens because
a) ESP packets are always generated with the DF flag set, b) PMTUD does not
work in IPSec transport mode because there is no interface (?) c) when TCP
segments of standard size are encapsulated into ESP packets, the resulting
oversized ESP packets cannot pass through any interface with MTU=1500, nor can
they be fragmented because of the DF flag, so they are just blackholed and
never leave the host.
How to reproduce. Configure a simple transport mode IPSec between two FreeBSD
hosts and try to scp files from one host to another. The file transfer will
inevitably stall, until you clear all IPSec policies. Watch with tcpdump: all
ESP packets have the DF flag set, but large ESP packets will be missing.
A workaround. A host route to the peer with "-mtu 1400" can be configured as
described in
https://lists.freebsd.org/pipermail/freebsd-net/2019-December/054952.html but
it is not scalable.
What is to be done. ESP packets should not have the DF flags set by default for
things to "just work."
I've checked that the net.inet.ipsec.dfbit does not affect transport mode.
Regardless of its value, the DF flag is always on.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list