Yvan, >> 2) a gif tunnel > > No, and that's the main difference for now: I *never* used Gif > interfaces.
And that's the point. When not using a gif interface to pass traffic through the IPSec tunnel, I don't see any trouble at all and everything works fine. As soon as a gif interface is involved, the tcp (haven't checked with udp) session running inside the gif tunnel breaks. When either not using IPSec, not enabling pf or not using gif - everything is fine. My setup always secured the outside of the tunnel. I haven't checked to secure the inside of the gif tunnel by using IPSec. Volker On 2005-10-24 17:08, VANHULLEBUS Yvan wrote: > On Mon, Oct 24, 2005 at 11:05:21AM -0500, Matthew Grooms wrote: > >>Yvan, >> >>VANHULLEBUS Yvan wrote: >> >> >>>We have *lots* of Gates running FreeBSD 4.11 and IPSEC (not >>>FAST_IPSEC), and I already have some 5.3 / 6.0 gates, also using >>>IPSEC. >>> >>> >>>Yvan. >>> >> >> I have a 4.11 server in production handling VPN traffic that is >>working perfectly as well. With 5.x or 6.x, my testing shows that >>traffic originating from a VPN gateway that traverses the tunnel works >>without a problem too. I only see this happen with TCP traffic, on 5.x+ >>while running a packet filter ( pf or ipfw ) and forwarding traffic >>sourced from a private network that matches the IPSEC security policy. > > > Ok. > > > >>Volker is seeing the problem with TCP traffic, when he is running 5.x+ >>while running a packet filter and forwarding gif tunnel traffic that >>matches the IPSEC security policy. > > > It really looks like we all experimented different problems (my > "problem" is the MTU issue I regulary see) which have "some common > aspects". > > > >> So, I appreciate your input by stating that your servers are not >>experiencing the same problem we are seeing. But before you dismiss the >>validity of our issue, you should be able to answer the yes to all of >>the following questions. > > > I don't dismiss anything, just telling that this not a "global IPSec > issue", but "something more specific". My first idea was the MTU > issue, it looks like it's not that. > > > >>Are you ... >> >>A) Running 5.x or 6.x > > > 6.0 on at least one production gate, and we are starting to do heavy > tests on some 5.4 gates (yes, I know, this can look strange, but the > 6.0 Gate is not related to our global "production"). > > > >>B) Running a packet filter > > > Pf on the 6.0 Gate, specific packet filter on 4.11 / 5.4 products. > > > >>C) Protecting traffic being forwarded from either >> 1) a private network > > > Yes > > >> 2) a gif tunnel > > > No, and that's the main difference for now: I *never* used Gif > interfaces. > > > >>D) Sending TCP traffic > > > I can answer "sending lots of TCP traffic, including, for example, > some large (lots of Mb) scp file transferts". > > > > Yvan. > _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
