> -----Original Message-----
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
> Of Rachel Roch
> Sent: Monday, December 03, 2018 11:19 AM
> To: misc@openbsd.org
> Subject: TLS suddenly not working over IKED site-to-site
>
> I hope someone here can shed light on an infuriating problem I’ve spent
> a week trying to resolve without luck.
>
> The problem concerns an IKED site-to-site VPN on OpenBSD 6.3 (both
> endpoints fully syspatched).
.
.
.
>
>
> This whole thing is just driving me crazy !
Hello,
This appears to be the same thing I have been having issues with and mentioned
in a post to misc last week ("Untable ssl connections over ikev2 VPN") - (yes,
typo intact - it should be "unstable").
I have tried adding a "max-mss 1300" directive into pf.conf (i.e.: "match in
all scrub (no-df random-id max-mss 1300)").
At first, I _thought_ this made a difference, but I am not sure if that is
really true.
I have also noticed that the TLS failures seem to vary based on OS. At this
point, I was able to get an https connection to work with firefox on MacOS, but
the TLS handshake continues to hang (100% of the time) with firefox on a
Windows 7 PC. With an openBSD laptop, it seems like it sometimes works and
sometimes doesn't (using "openssl s_client" to test).
I also made no changes in pf.conf or iked.conf from the working to non-working
period.
I have no idea what to do; I am just posting my observations if that helps.
Thanks
