Hi Lucas, Have you tried to manipulate the mss during conversation setup? This is done with the max-mss directive in pf.conf.
Basically, it takes the three way handshake, and overrides the MSS value in the handshake to something lower than the default. Client (1500 bytes) -> pf (change to 1300 bytes) -> Server Server (1500 bytes) -> pf (change to 1300 bytes) -> Client Now, both the server and the client thinks that the remote conversation partner is only able to receive 1300 bytes, and will package the data accordingly. When a normal conversation is set up, it is becoming more and more common to set DF=1 (don't fragment = true). When the router/firewall receives packets that are too big, they become discarded, but the max-mss should take care of this. I.e, while not allowing fragmentation, but force smaller packets in the first place. The three way handshake will usually always come true, because the packets are very small. Cheers, Simon. On Sun, 9 Feb 2020 at 21:35, Lucas <[email protected]> wrote: > Hi misc@, > > I've set up an IPsec tunnel to for serving my website from my home. The > tunnel works quite well most of the time, but if I try to deliver big > files over it, the HTTP client never gets a response. After some > testing, if I ran in the HTTP server end > > perl -e 'print "a" x 1386;' | doas nc -l 10.200.0.80 80 > > client receives 1386 "a"s, but with any bigger size the client sees no > response at all. > > This smells of MTU / fragmentation issues, but I don't know enough about > networks to configure it properly. Is this the case? Any recommendations > on how to configure a sensible value? Any clue sticks? I can bang > different MTUs until it works, but that solution doesn't seem to scale. > You can find my iked and pf configs below. > > Also would like to understand why it happens, so pointers to docs are > more than welcome. > > Thanks in advance, > -Lucas > > Initiator /etc/iked.conf: > > initiator_www = 10.200.0.80 > initiator_peer = 192.0.2.1 > responder = 198.51.100.1 > > ikev2 "www" active proto tcp \ > from $initiator_www port 80 to $responder \ > peer $responder \ > srcid initiator dstid responder \ > tag IPSECWWW > > Initiator /etc/pf.conf: > > set block-policy drop > set loginterface egress > set skip on lo0 > > block all > > pass out quick on { egress enc0 } > > pass in quick on enc0 tagged IPSECWWW > pass in on egress proto tcp to port ssh > pass in on egress inet proto icmp all > pass in on egress inet6 proto ipv6-icmp all > > Responder /etc/iked.conf: > > initiator_www = 10.200.0.80 > initiator_peer = 192.0.2.1 > responder = 198.51.100.1 > > ikev2 "www" passive proto tcp \ > from $responder to $initiator_www port 80 \ > peer $initiator_peer \ > srcid responder dstid initiator \ > tag IPSECWWW > > Responder /etc/pf.conf: > > set block-policy drop > set loginterface egress > set skip on lo0 > > block log all > > pass out quick on egress > > pass in log on egress proto udp from any to (egress) \ > port { isakmp ipsec-nat-t } > pass in log on egress proto esp from any to (egress) > pass in log on enc0 tagged IPSECWWW > pass out log on enc0 > > pass in on egress proto tcp to port { ssh http https } > pass in on egress inet proto icmp all > pass in on egress inet6 proto icmp6 all > >
