Re: IPSec tcp session stalling ( me too ) ...
From: Volker (volker_at_vwsoft.com)
Date: 10/25/05
- Previous message: GreenX: "Re: em(4) patch for test"
- Maybe in reply to: Volker: "Re: IPSec tcp session stalling ( me too ) ..."
- Next in thread: Matthew Grooms: "Re: IPSec tcp session stalling ( me too ) ..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 24 Oct 2005 23:19:10 +0100 To: VANHULLEBUS Yvan <vanhu@zeninc.net>
Yvan,
>> 2) a gif tunnel
>
> No, and that's the main difference for now: I *never* used Gif
> interfaces.
And that's the point. When not using a gif interface to pass traffic
through the IPSec tunnel, I don't see any trouble at all and everything
works fine. As soon as a gif interface is involved, the tcp (haven't
checked with udp) session running inside the gif tunnel breaks.
When either not using IPSec, not enabling pf or not using gif -
everything is fine.
My setup always secured the outside of the tunnel. I haven't checked to
secure the inside of the gif tunnel by using IPSec.
Volker
On 2005-10-24 17:08, VANHULLEBUS Yvan wrote:
> On Mon, Oct 24, 2005 at 11:05:21AM -0500, Matthew Grooms wrote:
>
>>Yvan,
>>
>>VANHULLEBUS Yvan wrote:
>>
>>
>>>We have *lots* of Gates running FreeBSD 4.11 and IPSEC (not
>>>FAST_IPSEC), and I already have some 5.3 / 6.0 gates, also using
>>>IPSEC.
>>>
>>>
>>>Yvan.
>>>
>>
>> I have a 4.11 server in production handling VPN traffic that is
>>working perfectly as well. With 5.x or 6.x, my testing shows that
>>traffic originating from a VPN gateway that traverses the tunnel works
>>without a problem too. I only see this happen with TCP traffic, on 5.x+
>>while running a packet filter ( pf or ipfw ) and forwarding traffic
>>sourced from a private network that matches the IPSEC security policy.
>
>
> Ok.
>
>
>
>>Volker is seeing the problem with TCP traffic, when he is running 5.x+
>>while running a packet filter and forwarding gif tunnel traffic that
>>matches the IPSEC security policy.
>
>
> It really looks like we all experimented different problems (my
> "problem" is the MTU issue I regulary see) which have "some common
> aspects".
>
>
>
>> So, I appreciate your input by stating that your servers are not
>>experiencing the same problem we are seeing. But before you dismiss the
>>validity of our issue, you should be able to answer the yes to all of
>>the following questions.
>
>
> I don't dismiss anything, just telling that this not a "global IPSec
> issue", but "something more specific". My first idea was the MTU
> issue, it looks like it's not that.
>
>
>
>>Are you ...
>>
>>A) Running 5.x or 6.x
>
>
> 6.0 on at least one production gate, and we are starting to do heavy
> tests on some 5.4 gates (yes, I know, this can look strange, but the
> 6.0 Gate is not related to our global "production").
>
>
>
>>B) Running a packet filter
>
>
> Pf on the 6.0 Gate, specific packet filter on 4.11 / 5.4 products.
>
>
>
>>C) Protecting traffic being forwarded from either
>> 1) a private network
>
>
> Yes
>
>
>> 2) a gif tunnel
>
>
> No, and that's the main difference for now: I *never* used Gif
> interfaces.
>
>
>
>>D) Sending TCP traffic
>
>
> I can answer "sending lots of TCP traffic, including, for example,
> some large (lots of Mb) scp file transferts".
>
>
>
> Yvan.
>
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: GreenX: "Re: em(4) patch for test"
- Maybe in reply to: Volker: "Re: IPSec tcp session stalling ( me too ) ..."
- Next in thread: Matthew Grooms: "Re: IPSec tcp session stalling ( me too ) ..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
