It can be re-keying issue. You can check this out by adding to iked.conf on both ends:
Intitiator: ... ikelifetime 120m lifetime 180m bytes 200m \ tag IPSECWWW Receiver: ... ikelifetime 100m lifetime 160m bytes 250m \ tag IPSECWWW The test result can be used for further investigations. By the way, can your let us know "big files" exact size? Denis On 2/9/2020 9:33 PM, Lucas wrote: > Hi misc@, > > I've set up an IPsec tunnel to for serving my website from my home. The > tunnel works quite well most of the time, but if I try to deliver big > files over it, the HTTP client never gets a response. After some > testing, if I ran in the HTTP server end > > perl -e 'print "a" x 1386;' | doas nc -l 10.200.0.80 80 > > client receives 1386 "a"s, but with any bigger size the client sees no > response at all. > > This smells of MTU / fragmentation issues, but I don't know enough about > networks to configure it properly. Is this the case? Any recommendations > on how to configure a sensible value? Any clue sticks? I can bang > different MTUs until it works, but that solution doesn't seem to scale. > You can find my iked and pf configs below. > > Also would like to understand why it happens, so pointers to docs are > more than welcome. > > Thanks in advance, > -Lucas > > Initiator /etc/iked.conf: > > initiator_www = 10.200.0.80 > initiator_peer = 192.0.2.1 > responder = 198.51.100.1 > > ikev2 "www" active proto tcp \ > from $initiator_www port 80 to $responder \ > peer $responder \ > srcid initiator dstid responder \ > tag IPSECWWW > > Initiator /etc/pf.conf: > > set block-policy drop > set loginterface egress > set skip on lo0 > > block all > > pass out quick on { egress enc0 } > > pass in quick on enc0 tagged IPSECWWW > pass in on egress proto tcp to port ssh > pass in on egress inet proto icmp all > pass in on egress inet6 proto ipv6-icmp all > > Responder /etc/iked.conf: > > initiator_www = 10.200.0.80 > initiator_peer = 192.0.2.1 > responder = 198.51.100.1 > > ikev2 "www" passive proto tcp \ > from $responder to $initiator_www port 80 \ > peer $initiator_peer \ > srcid responder dstid initiator \ > tag IPSECWWW > > Responder /etc/pf.conf: > > set block-policy drop > set loginterface egress > set skip on lo0 > > block log all > > pass out quick on egress > > pass in log on egress proto udp from any to (egress) \ > port { isakmp ipsec-nat-t } > pass in log on egress proto esp from any to (egress) > pass in log on enc0 tagged IPSECWWW > pass out log on enc0 > > pass in on egress proto tcp to port { ssh http https } > pass in on egress inet proto icmp all > pass in on egress inet6 proto icmp6 all >