IPSec transport mode, mtu, fragmentation...
Victor Sudakov
vas at sibptus.ru
Fri Dec 20 15:23:22 UTC 2019
Dear Colleagues,
I've set up IPSec in transport mode between two regular FreeBSD hosts,
for testing. Now TCP sessions between those hosts don't work normally
any more. For example, scp is stalled almost immediately after starting
a file transfer, and so is interactive ssh eventually.
I feel that the problem is somehow related to MTU, MSS and fragmentation
of ESP packets, because:
1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
right.
2. When IPSec is enabled, the maximum packet size I've been able to send
through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappears
in the void).
I'm really at a loss what to do about that. In transport mode, there is
no network interface I could adjust MTU on, or run some kind of MSS
fixer.
PS And I'm talking about IPv4 only for now, but "{scp, ssh} -6" is stalling too.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191220/acdcdcd2/attachment.sig>
More information about the freebsd-net
mailing list