[Bug 242744] IPSec in transport mode between FreeBSD hosts blackholes TCP traffic

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Dec 21 08:16:45 UTC 2019


Eugene Grosbein <eugen at freebsd.org> changed:

           What    |Removed                     |Added
             Status|New                         |Open
                 CC|                            |eugen at freebsd.org

--- Comment #4 from Eugene Grosbein <eugen at freebsd.org> ---
There are multiple ways to solve this problem that work just fine for FreeBSD
11 at least.

First, one can use IPSec transport mode combined with gif tunnel and mtu=1500
for the gif. Oversized IPv4 gif packets have DF bit set to 0, as per gif(4)
manual page, so they get fragmented while being transmitted over path with
lowest intermediate mtu 1500 or less and no packet drops occur.

Second, one can try sysctl net.inet.ipsec.dfbit=0 that is documented in
ipsec(4) manual page for IPSec tunnel mode but maybe it works for transport
mode, too. Check it out. Maybe, you can switch your IPSec to tunnel mode.

Third, you can adjust TCP MSS by means of packet filters. For example, ipfw
currently has additional kernel module ipfw_pmod.ko and command ipfw

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-net mailing list