IPSec tcp session stalling ( me too ) ...

Volker volker at vwsoft.com
Mon Oct 24 14:19:28 PDT 2005 

Yvan,

>>    2) a gif tunnel
> 
> No, and that's the main difference for now: I *never* used Gif
> interfaces.

And that's the point. When not using a gif interface to pass traffic
through the IPSec tunnel, I don't see any trouble at all and everything
works fine. As soon as a gif interface is involved, the tcp (haven't
checked with udp) session running inside the gif tunnel breaks.

When either not using IPSec, not enabling pf or not using gif -
everything is fine.

My setup always secured the outside of the tunnel. I haven't checked to
secure the inside of the gif tunnel by using IPSec.

Volker



On 2005-10-24 17:08, VANHULLEBUS Yvan wrote:
> On Mon, Oct 24, 2005 at 11:05:21AM -0500, Matthew Grooms wrote:
> 
>>Yvan,
>>
>>VANHULLEBUS Yvan wrote:
>>
>>
>>>We have *lots* of Gates running FreeBSD 4.11 and IPSEC (not
>>>FAST_IPSEC), and I already have some 5.3 / 6.0 gates, also using
>>>IPSEC.
>>>
>>>
>>>Yvan.
>>>
>>
>>     I have a 4.11 server in production handling VPN traffic that is 
>>working perfectly as well. With 5.x or 6.x, my testing shows that 
>>traffic originating from a VPN gateway that traverses the tunnel works 
>>without a problem too. I only see this happen with TCP traffic, on 5.x+ 
>>while running a packet filter ( pf or ipfw ) and forwarding traffic 
>>sourced from a private network that matches the IPSEC security policy. 
> 
> 
> Ok.
> 
> 
> 
>>Volker is seeing the problem  with TCP traffic, when he is running 5.x+ 
>>while running a packet filter and forwarding gif tunnel traffic that 
>>matches the IPSEC security policy.
> 
> 
> It really looks like we all experimented different problems (my
> "problem" is the MTU issue I regulary see) which have "some common
> aspects".
> 
> 
> 
>>     So, I appreciate your input by stating that your servers are not 
>>experiencing the same problem we are seeing. But before you dismiss the 
>>validity of our issue, you should be able to answer the yes to all of 
>>the following questions.
> 
> 
> I don't dismiss anything, just telling that this not a "global IPSec
> issue", but "something more specific". My first idea was the MTU
> issue, it looks like it's not that.
> 
> 
> 
>>Are you ...
>>
>>A) Running 5.x or 6.x
> 
> 
> 6.0 on at least one production gate, and we are starting to do heavy
> tests on some 5.4 gates (yes, I know, this can look strange, but the
> 6.0 Gate is not related to our global "production").
> 
> 
> 
>>B) Running a packet filter
> 
> 
> Pf on the 6.0 Gate, specific packet filter on 4.11 / 5.4 products.
> 
> 
> 
>>C) Protecting traffic being forwarded from either
>>    1) a private network
> 
> 
> Yes
> 
> 
>>    2) a gif tunnel
> 
> 
> No, and that's the main difference for now: I *never* used Gif
> interfaces.
> 
> 
> 
>>D) Sending TCP traffic
> 
> 
> I can answer "sending lots of TCP traffic, including, for example,
> some large (lots of Mb) scp file transferts".
> 
> 
> 
> Yvan.
>

More information about the freebsd-net mailing list