On 01/23/15 15:13, VANHULLEBUS Yvan wrote:
Hi.
On Wed, Jan 21, 2015 at 03:16:21PM +0100, Andrei Brezan wrote:
Weird subject, maybe.
I'm running FreeBSD-10.0-RELEASE with PF as firewall and racoon for
IPSEC. The IPSEC tunnel is between the FreeBSD box and a Fortinet
appliance.
The IPSEC tunnel comes up and on a quick test it seems to be
working, icmp between networks is ok, you can successfully telnet on
services on the other side. However when you need to transfer some
data strange things happen. I'm really trying to wrap my head around
it and I still don't understand why it happens
(http://pastebin.com/NAspcM9w). The packets smaller than 1260 and
larger than 1417 are delivered to vlan103, the ones in between are
not.
I'm not sure why do you have this strange issue.
Having a look at your IPsec/ESP related kernel stats may give a first
idea.
But I know that, even if you find a fix for this, you'll have very
poor performances as soon as packets start to be fragmented, and your
data transferts may just stall forever.
So, the usual way of solving that is to change the TCPMSS "low enough"
on the fly for all IPsec related trafic.
1300 is a common value, low enough to avoid fragmentation, and high
enough to keep good throughput.
Of course, this will only works for TCP, but most big packets / long
flows are done on TCP.
Thanks Yvan,
The ICMP started working at some point, most likely when I changed
something in my config or the other side did, wasn't able to identify
it. I still had the issues specified in this thread
https://forums.freebsd.org/threads/ipsec-racoon-gif-packet-routing-issues-transfer-stall-fail.50085/
I managed to resolve the problems with an update from Release 10.0 to 10.1
--
Andrei
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
