[Bug 242744] IPSec in transport mode between FreeBSD hosts blackholes TCP traffic

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Dec 21 08:33:50 UTC 2019


--- Comment #5 from Victor Sudakov <vas at sibptus.ru> ---
(In reply to Eugene Grosbein from comment #4)

> First, one can use IPSec transport mode combined with gif tunnel and mtu=1500 for the gif. 

The solution with gif or if_ipsec tunnels is not scalable if you want to create
a mesh of hosts with protected traffic between them. If we are talking about
not more than 2-3 hosts, then the if_ipsec solution is the most elegant. 

> Second, one can try sysctl net.inet.ipsec.dfbit=0 that is documented in 
> ipsec(4) manual page for IPSec tunnel mode 
> but maybe it works for transport mode, too

I wrote in the initial problem description that this sysctl does not work for
transport mode. You just did not pay attention.

> Third, you can adjust TCP MSS by means of packet filters. 

I don't think I can if the packet in question is not received or transmitted
via any interface (like locally generated ssh-client traffic intercepted by
IPSec policies). Or I'll try if you provide an example of matching such a

I also tried pf's "scrub out proto 50 no-df" but there was no match.

In a FreeBSD - Windows 7 combination, this kind of transport mode works
transparently out of the box. I think Windows knows to adjust MSS, or

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-net mailing list