https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242744
Bug ID: 242744
Summary: IPSec in transport mode between FreeBSD hosts
blackholes TCP traffic
Product: Base System
Version: 12.1-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
When you configure transport mode IPSec between two FreeBSD hosts (no tunnels
or if_ipsec), TCP connectivity between those hosts breaks. It happens because
a) ESP packets are always generated with the DF flag set, b) PMTUD does not
work in IPSec transport mode because there is no interface (?) c) when TCP
segments of standard size are encapsulated into ESP packets, the resulting
oversized ESP packets cannot pass through any interface with MTU=1500, nor can
they be fragmented because of the DF flag, so they are just blackholed and
never leave the host.
How to reproduce. Configure a simple transport mode IPSec between two FreeBSD
hosts and try to scp files from one host to another. The file transfer will
inevitably stall, until you clear all IPSec policies. Watch with tcpdump: all
ESP packets have the DF flag set, but large ESP packets will be missing.
A workaround. A host route to the peer with "-mtu 1400" can be configured as
described in
https://lists.freebsd.org/pipermail/freebsd-net/2019-December/054952.html but
it is not scalable.
What is to be done. ESP packets should not have the DF flags set by default for
things to "just work."
I've checked that the net.inet.ipsec.dfbit does not affect transport mode.
Regardless of its value, the DF flag is always on.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
