It can be re-keying issue. You can check this out by adding to iked.conf
on both ends:
Intitiator:
...
ikelifetime 120m lifetime 180m bytes 200m \
tag IPSECWWW
Receiver:
...
ikelifetime 100m lifetime 160m bytes 250m \
tag IPSECWWW
The test result can be used for further investigations.
By the way, can your let us know "big files" exact size?
Denis
On 2/9/2020 9:33 PM, Lucas wrote:
> Hi misc@,
>
> I've set up an IPsec tunnel to for serving my website from my home. The
> tunnel works quite well most of the time, but if I try to deliver big
> files over it, the HTTP client never gets a response. After some
> testing, if I ran in the HTTP server end
>
> perl -e 'print "a" x 1386;' | doas nc -l 10.200.0.80 80
>
> client receives 1386 "a"s, but with any bigger size the client sees no
> response at all.
>
> This smells of MTU / fragmentation issues, but I don't know enough about
> networks to configure it properly. Is this the case? Any recommendations
> on how to configure a sensible value? Any clue sticks? I can bang
> different MTUs until it works, but that solution doesn't seem to scale.
> You can find my iked and pf configs below.
>
> Also would like to understand why it happens, so pointers to docs are
> more than welcome.
>
> Thanks in advance,
> -Lucas
>
> Initiator /etc/iked.conf:
>
> initiator_www = 10.200.0.80
> initiator_peer = 192.0.2.1
> responder = 198.51.100.1
>
> ikev2 "www" active proto tcp \
> from $initiator_www port 80 to $responder \
> peer $responder \
> srcid initiator dstid responder \
> tag IPSECWWW
>
> Initiator /etc/pf.conf:
>
> set block-policy drop
> set loginterface egress
> set skip on lo0
>
> block all
>
> pass out quick on { egress enc0 }
>
> pass in quick on enc0 tagged IPSECWWW
> pass in on egress proto tcp to port ssh
> pass in on egress inet proto icmp all
> pass in on egress inet6 proto ipv6-icmp all
>
> Responder /etc/iked.conf:
>
> initiator_www = 10.200.0.80
> initiator_peer = 192.0.2.1
> responder = 198.51.100.1
>
> ikev2 "www" passive proto tcp \
> from $responder to $initiator_www port 80 \
> peer $initiator_peer \
> srcid responder dstid initiator \
> tag IPSECWWW
>
> Responder /etc/pf.conf:
>
> set block-policy drop
> set loginterface egress
> set skip on lo0
>
> block log all
>
> pass out quick on egress
>
> pass in log on egress proto udp from any to (egress) \
> port { isakmp ipsec-nat-t }
> pass in log on egress proto esp from any to (egress)
> pass in log on enc0 tagged IPSECWWW
> pass out log on enc0
>
> pass in on egress proto tcp to port { ssh http https }
> pass in on egress inet proto icmp all
> pass in on egress inet6 proto icmp6 all
>
