> -----Original Message----- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of William Ahern > Sent: Monday, December 17, 2018 1:11 PM > To: Theodore Wynnychenko > Cc: misc@openbsd.org > Subject: Re: TLS suddenly not working over IKED site-to-site > . . . > I'm not well versed in these issues but if I were in your shoes I would > > 1) Figure out why those packets were unprotected. (Could be normal for > all I > know, but in a quick test on my enc0 I didn't see any packets like > that.) > > 2) Make sure the tunnel handles fragmentation correctly. Are fragments > being > dropped? Are reassembled fragments being dropped? > > 2.a) Relatedly, make sure the tunnel handles pMTU discovery. Do ICMP > Fragmentation Needed packets make it back through the tunnel? pMTU and > ICMP > issues are very common with IPSec tunnels. IME most people "fix" these > issues by forcing a lower MSS or setting a lower MTU at the ingress > point > rather than properly configuring routing so ICMP errors are properly > routed. > I've experienced this issue myself and had to learn the hard way. > > 3) From an earlier post it looks like you're using ipcomp. You should > remove > this complication while debugging. It's possible ipcomp is hiding MTU > issues.
Thank you so much for the suggestions. To summarize, I have noticed that in the last month, SSL/TLS connections were failing when traversing an ipsec tunnel created by iked. This had worked stably for over a year, with no changes to iked.conf or pf.conf. In trying to find the issue, I had added "max-mss" to pf and tried decreasing MTU values on the adapters. This did not seem to make a difference. In addition, the problem was very sporadic, and seemed to "evolve" over the last few weeks. In the last few days, I was able to establish https connections over the tunnel when that connection was initiated by the gateway openbsd machine or a Mac on the "local" network; but connections from another openbsd machine "behind" the gateway, and a Windows 7 machine kept hanging. Anyway, I decided to revert everything to the way it was. I removed all "max-mss" entries and reset MTU values to 1500. Then, I took the advice above, and disable ipcomp on the tunnel, and, BAHM, https (and imaps) were working without an issue from openbsd, Windows 7, and Macs! Just to be sure, I updated this am to the 12/19 amd64 snapshot. When I turn on ipcomp, https/imaps hangs for most connections; when I turn ipcomp off, https/imaps works. I noticed that the last change to sys/netinet/ip_ipcomp.c (I am guessing this is the code that is involved) in the log (I think) was about 3 months ago, and at this point, I can't recall if my last updated (prior to the one where the instability began) was before or after that change. I was going to try to recompile it with the change undone, but am not sure how to do that, or even if it can be done for just that one part of sys. And, after removing ipcomp from iked.conf, my subjective observation is that things load a lot faster than they seemed to in the past with ipcomp on; so, I am happy with where I am. I was just posting my observations in case anyone else has a similar issue. Ted
