IPSec tcp session stalling

Christopher Sean Hilton chilton at vindaloo.com
Mon Jun 5 07:44:51 PDT 2006

I'm having a problem with aFreeBSD workstation that tried to connect
to a remote VPN via an IPSec tunnel. Here's my setup:

A FreeBSD workstation: W

An OpenBSD router: LR

And another OpenBSD router: RR

A remote FreeBSD server: S

LR and RR are connected via an IPSec tunnel. W shares the local
ethernet with LR and LR is W's default gateway. S shares the remote
ethernet with RR and RR is S's default gateway.

The problem comes when I use scp. If I try to send a file bigger than
1400 bytes or so from W to S or vice versa the connection stalls and I
seem to be left waiting for Godot. If I tcpdump the connection I see
that when sending a file from W to S, LR sends W an ICMP message which
states that the last tcp packet was too large and it should change
it's MTU. But the connection stalls right there. I noticed that
OpenBSD has a flag on scrub rules called no-df which strips the Don't
Fragment flag from the packet. Turning this bit on fixes the problem.

I'm wondering why FreeBSD doesn't send anything after it gets the ICMP
message which states that it needs to change it's mtu for that

-- Chris

Chris Hilton                                   chris-at-vindaloo-dot-com
                "All I was doing was trying to get home from work!"
                                                 -- Rosa Parks

More information about the freebsd-questions mailing list