[Bug 242744] IPSec in transport mode between FreeBSD hosts blackholes TCP traffic
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Dec 21 08:33:50 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242744
--- Comment #5 from Victor Sudakov <vas at sibptus.ru> ---
(In reply to Eugene Grosbein from comment #4)
> First, one can use IPSec transport mode combined with gif tunnel and mtu=1500 for the gif.
The solution with gif or if_ipsec tunnels is not scalable if you want to create
a mesh of hosts with protected traffic between them. If we are talking about
not more than 2-3 hosts, then the if_ipsec solution is the most elegant.
> Second, one can try sysctl net.inet.ipsec.dfbit=0 that is documented in
> ipsec(4) manual page for IPSec tunnel mode
> but maybe it works for transport mode, too
I wrote in the initial problem description that this sysctl does not work for
transport mode. You just did not pay attention.
> Third, you can adjust TCP MSS by means of packet filters.
I don't think I can if the packet in question is not received or transmitted
via any interface (like locally generated ssh-client traffic intercepted by
IPSec policies). Or I'll try if you provide an example of matching such a
packet.
I also tried pf's "scrub out proto 50 no-df" but there was no match.
In a FreeBSD - Windows 7 combination, this kind of transport mode works
transparently out of the box. I think Windows knows to adjust MSS, or
something.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-net
mailing list