Eugene Grosbein wrote: > > > I prepared the PoC patch that should fix the problem with TCP and > > transport mode IPsec. But I have not free time currently to properly > > test and debug it. It is only compile-tested. But If you want, you can > > try :) > > Currently only IPv4 support is implemented. > > > > https://people.freebsd.org/~ae/ipsec_transport_mode_ctlinput.diff > > In fact, I've faced this problem long time ago too and I work around it with > different approaches > like "ipfw tcp-setmss" (MSS adjust) or by using IPSec transport mode > with gif(4) interface removing DF bit out of encapsulated packets. > > I was going to test your patch with my home router but the patch does not > apply to stable/11, at all. > Do you have time to adjust it to stable/11 ?
What beats me is that I cannot reproduce this problem in bhyve. In this packet dump: http://admin.sibptus.ru/~vas/ipsec1.pcap.gz I'm scp-ing a 50M file from 192.168.246.10 (bhyve guest) to 192.168.246.1 (bhyve host), and I see no fragments, and the largets packet is 1466 bytes, and the scp never stalls nor fails. Why is it NOT broken this time? Both hosts are 12.1-RELEASE-p1. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature
