IPSec tcp session stalling

I'm having a problem with aFreeBSD workstation that tried to connect
to a remote VPN via an IPSec tunnel. Here's my setup:

A FreeBSD workstation: W

An OpenBSD router: LR

And another OpenBSD router: RR

A remote FreeBSD server: S

LR and RR are connected via an IPSec tunnel. W shares the local
ethernet with LR and LR is W's default gateway. S shares the remote
ethernet with RR and RR is S's default gateway.

The problem comes when I use scp. If I try to send a file bigger than
1400 bytes or so from W to S or vice versa the connection stalls and I
seem to be left waiting for Godot. If I tcpdump the connection I see
that when sending a file from W to S, LR sends W an ICMP message which
states that the last tcp packet was too large and it should change
it's MTU. But the connection stalls right there. I noticed that
OpenBSD has a flag on scrub rules called no-df which strips the Don't
Fragment flag from the packet. Turning this bit on fixes the problem.

I'm wondering why FreeBSD doesn't send anything after it gets the ICMP
message which states that it needs to change it's mtu for that

-- Chris

Chris Hilton chris-at-vindaloo-dot-com
"All I was doing was trying to get home from work!"
-- Rosa Parks
freebsd-questions@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • RE: [Freebsd-security] Re: Possible compromise ?
    ... I was not able to install and setup FreeBSD by ... > some connects from remote machines to ttyp0 and ttyp1. ... > me to retrieve connection dates from that file. ...
  • nxserver/freenx connection problem
    ... My goal is it to connect from Windows 7 to freebsd remotely using nxserver. ... Connected to remote version 2.1.0 with local version 3.5.0. ... Connection with remote proxy completed. ...
  • Re: Running FreeBSD for my personal website: collocation, cloud, etc.
    ... cheaply) get up and running with a "publicly accessible" FreeBSD ... The server will be under essentially no load. ... from a remote place, you can move to option 2. ... and can't be fix via a remote connection. ...
  • Re: FreeBSD Security Advisory FreeBSD-SA-06:18.ppp
    ... Am 23.08.2006 um 22:18 schrieb FreeBSD Security Advisories: ... An attacker able to send LCP packets, including the remote end of a ppp ... connection, can cause the FreeBSD kernel to panic. ... also be able to obtain sensitive information or gain elevated privileges. ...
  • Re: Connecting a remote workstation to a domain
    ... If you have more than a couple of remote workstations connecting to the SBS ... server via VPN, you really need to consider a Terminal Server in the main ... "Log in using a dial up connection" checkbox, ... roaming profile then synchronizes with the server over the VPN); ...