IPSec transport mode, mtu, fragmentation...

Kajetan Staszkiewicz vegeta at tuxpowered.net
Fri Dec 20 15:26:38 UTC 2019

On 20.12.19 16:23, Victor Sudakov wrote:
> Dear Colleagues,
> I've set up IPSec in transport mode between two regular FreeBSD hosts,
> for testing. Now TCP sessions between those hosts don't work normally
> any more. For example, scp is stalled almost immediately after starting
> a file transfer, and so is interactive ssh eventually.
> I feel that the problem is somehow related to MTU, MSS and fragmentation
> of ESP packets, because:
> 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
> right. 
> 2. When IPSec is enabled, the maximum packet size I've been able to send
> through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappears
> in the void).
> I'm really at a loss what to do about that. In transport mode, there is
> no network interface I could adjust MTU on, or run some kind of MSS
> fixer.

Maybe you could add route to the remote host with -mtu parameter. I've
never tested this because I have interfaces (either if_ipsec of if_gif
protected with transport mode IPSec) and I do mss clamping in pf, but
this could work.

| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191220/68181b1f/attachment.sig>

More information about the freebsd-net mailing list