IPSEC MTU routing issue
Andrei Brezan
andrei693 at gmail.com
Thu Jan 29 09:48:22 UTC 2015
On 01/23/15 15:13, VANHULLEBUS Yvan wrote:
> Hi.
>
> On Wed, Jan 21, 2015 at 03:16:21PM +0100, Andrei Brezan wrote:
>> Weird subject, maybe.
>>
>> I'm running FreeBSD-10.0-RELEASE with PF as firewall and racoon for
>> IPSEC. The IPSEC tunnel is between the FreeBSD box and a Fortinet
>> appliance.
>>
>> The IPSEC tunnel comes up and on a quick test it seems to be
>> working, icmp between networks is ok, you can successfully telnet on
>> services on the other side. However when you need to transfer some
>> data strange things happen. I'm really trying to wrap my head around
>> it and I still don't understand why it happens
>> (http://pastebin.com/NAspcM9w). The packets smaller than 1260 and
>> larger than 1417 are delivered to vlan103, the ones in between are
>> not.
>
> I'm not sure why do you have this strange issue.
> Having a look at your IPsec/ESP related kernel stats may give a first
> idea.
>
>
> But I know that, even if you find a fix for this, you'll have very
> poor performances as soon as packets start to be fragmented, and your
> data transferts may just stall forever.
>
> So, the usual way of solving that is to change the TCPMSS "low enough"
> on the fly for all IPsec related trafic.
> 1300 is a common value, low enough to avoid fragmentation, and high
> enough to keep good throughput.
>
> Of course, this will only works for TCP, but most big packets / long
> flows are done on TCP.
>
Thanks Yvan,
The ICMP started working at some point, most likely when I changed
something in my config or the other side did, wasn't able to identify
it. I still had the issues specified in this thread
https://forums.freebsd.org/threads/ipsec-racoon-gif-packet-routing-issues-transfer-stall-fail.50085/
I managed to resolve the problems with an update from Release 10.0 to 10.1
--
Andrei
More information about the freebsd-net
mailing list