Mine is resolved by applying a smaller max-mss in pf and disabling ipcomp. Only disabling ipcomp didn’t work.
> On Mar 15, 2019, at 3:15 AM, Andrew Daugherity <andrew.daugher...@gmail.com> > wrote: > > On Thu, Dec 20, 2018 at 6:54 PM Theodore Wynnychenko <t...@uchicago.edu> > wrote: >> Then, I took the advice above, and disable ipcomp on the tunnel, and, BAHM, >> https (and imaps) were working without an issue from openbsd, Windows 7, and >> Macs! >> >> Just to be sure, I updated this am to the 12/19 amd64 snapshot. >> >> When I turn on ipcomp, https/imaps hangs for most connections; when I turn >> ipcomp off, https/imaps works. > > I can confirm this behavior. I've set up a simple RSA key VPN as > described at http://www.openbsd.org/faq/faq17.html#site2site, which > does not include ipcomp by default, and everything works fine, > including https. After reading this I decided to test enabling > ipcomp, and sure enough, loading an https page across the VPN fails. > With ipcomp I also see some "unprotected" packets when running tcpdump > on enc0, e.g.: > 13:32:19.600062 (authentic,confidential): SPI 0xee345270: > 10.95.10.236.57254 > 10.95.0.233.443: P 273:518(245) ack 5604 win 455 > <nop,nop,timestamp 1069884950 61011946> (DF) (encap) > 13:32:19.614996 (unprotected): SPI 0x00005a04: 10.95.0.233.443 > > 10.95.10.236.57254: . 5604:7052(1448) ack 518 win 252 <nop,nop, > timestamp 61011950 1069884950> (DF) (encap) > > I don't know why that is happening, but as everything seems to work > well and perform decently without ipcomp, I'll be leaving it disabled. > >> I noticed that the last change to sys/netinet/ip_ipcomp.c (I am guessing >> this is the code that is involved) in the log (I think) was about 3 months >> ago, and at this point, I can't recall if my last updated (prior to the one >> where the instability began) was before or after that change. >> >> I was going to try to recompile it with the change undone, but am not sure >> how to do that, or even if it can be done for just that one part of sys. > > Yes, just use git or cvs (whatever you checked out the code with) to > fetch an earlier revision of that file (not the whole repo) and then > build a new kernel. Sometimes you'd need to also revert other related > changes, but that does not appear to be the case here, assuming you're > referring to [1]. Note that some previous commits did touch multiple > files. > >> And, after removing ipcomp from iked.conf, my subjective observation is that >> things load a lot faster than they seemed to in the past with ipcomp on; so, >> I am happy with where I am. >> >> I was just posting my observations in case anyone else has a similar issue. > > Thank you for sharing. I had (I think) been using ipcomp in my old > ikev1 (ipsec.conf/isakmpd) setup but had not yet gotten around to > enabling it in the ikev2 setup. Based on this, I won't bother. > > > -Andrew > > [1] https://github.com/openbsd/src/commit/4b5fa55 >
