[Bug 242744] IPSec in transport mode between FreeBSD hosts blackholes TCP traffic

Fri Dec 20 18:41:02 UTC 2019

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242744

            Bug ID: 242744
           Summary: IPSec in transport mode between FreeBSD hosts
                    blackholes TCP traffic
           Product: Base System
           Version: 12.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: vas at sibptus.ru

When you configure transport mode IPSec between two FreeBSD hosts (no tunnels
or if_ipsec), TCP connectivity between those hosts breaks. It happens because
a) ESP packets are always generated with the DF flag set, b) PMTUD does not
work in IPSec transport mode because there is no interface (?) c) when TCP
segments of standard size are encapsulated into ESP packets, the resulting
oversized ESP packets cannot pass through any interface with MTU=1500, nor can
they be fragmented because of the DF flag, so they are just blackholed and
never leave the host.

How to reproduce. Configure a simple transport mode IPSec between two FreeBSD
hosts and try to scp files from one host to another. The file transfer will
inevitably stall, until you clear all IPSec policies. Watch with tcpdump: all
ESP packets have the DF flag set, but large ESP packets will be missing.

A workaround. A host route to the peer with "-mtu 1400" can be configured as
described in
https://lists.freebsd.org/pipermail/freebsd-net/2019-December/054952.html but
it is not scalable.

What is to be done. ESP packets should not have the DF flags set by default for
things to "just work."

I've checked that the net.inet.ipsec.dfbit does not affect transport mode.
Regardless of its value, the DF flag is always on.

-- 
You are receiving this mail because:
You are the assignee for the bug.