IPSec transport mode, mtu, fragmentation...
vas at sibptus.ru
Fri Dec 20 16:56:18 UTC 2019
Victor Sudakov wrote:
> Kajetan Staszkiewicz wrote:
> > On 20.12.19 16:23, Victor Sudakov wrote:
> > > Dear Colleagues,
> > >
> > > I've set up IPSec in transport mode between two regular FreeBSD hosts,
> > > for testing. Now TCP sessions between those hosts don't work normally
> > > any more. For example, scp is stalled almost immediately after starting
> > > a file transfer, and so is interactive ssh eventually.
> > >
> > > I feel that the problem is somehow related to MTU, MSS and fragmentation
> > > of ESP packets, because:
> > >
> > > 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
> > > right.
> > >
> > > 2. When IPSec is enabled, the maximum packet size I've been able to send
> > > through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappears
> > > in the void).
> > >
> > > I'm really at a loss what to do about that. In transport mode, there is
> > > no network interface I could adjust MTU on, or run some kind of MSS
> > > fixer.
> > Maybe you could add route to the remote host with -mtu parameter.
> Just tried "route add -host host-b -mtu 1400 gw". The route is there
> with the right mtu (according to "route get host-b") but it did not
> help. Probably the packet is intercepted by IPsec before it gets into
Sorry, Kajetan, I was mistaken, your advice with a host route *does*
work. It seems I was adding an IPv4 route but scp-ing over IPv6.
Your workaround works, I confirm.
> What gives? Setting up IPsec transport mode between hosts should be a
> simple thing which *just* *works*.
> What's the root of the problem? ESP packets cannot get fragmented or
I need to figure out why IPsec tunnel mode is always generating ESP
packets with the DF flag set. Therefore they just don't get through the
interface and never leave the host.
I cannot even "scrub out proto 50 no-df" them because they never go
through any f*cking interface, that's what I think is happening. Don't
tell me it's by design.
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: not available
More information about the freebsd-net