On 20.12.19 16:23, Victor Sudakov wrote:
> Dear Colleagues,
>
> I've set up IPSec in transport mode between two regular FreeBSD hosts,
> for testing. Now TCP sessions between those hosts don't work normally
> any more. For example, scp is stalled almost immediately after starting
> a file transfer, and so is interactive ssh eventually.
>
> I feel that the problem is somehow related to MTU, MSS and fragmentation
> of ESP packets, because:
>
> 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
> right.
>
> 2. When IPSec is enabled, the maximum packet size I've been able to send
> through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappears
> in the void).
>
> I'm really at a loss what to do about that. In transport mode, there is
> no network interface I could adjust MTU on, or run some kind of MSS
> fixer.Maybe you could add route to the remote host with -mtu parameter. I've never tested this because I have interfaces (either if_ipsec of if_gif protected with transport mode IPSec) and I do mss clamping in pf, but this could work. -- | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'
signature.asc
Description: OpenPGP digital signature
