IPsec and MTU / fragmentation

Sun, 09 Feb 2020 12:35:55 -0800 

Hi misc@,

I've set up an IPsec tunnel to for serving my website from my home. The
tunnel works quite well most of the time, but if I try to deliver big
files over it, the HTTP client never gets a response. After some
testing, if I ran in the HTTP server end

        perl -e 'print "a" x 1386;' | doas nc -l 10.200.0.80 80

client receives 1386 "a"s, but with any bigger size the client sees no
response at all.

This smells of MTU / fragmentation issues, but I don't know enough about
networks to configure it properly. Is this the case? Any recommendations
on how to configure a sensible value? Any clue sticks? I can bang
different MTUs until it works, but that solution doesn't seem to scale.
You can find my iked and pf configs below.

Also would like to understand why it happens, so pointers to docs are
more than welcome.

Thanks in advance,
-Lucas

Initiator /etc/iked.conf:

        initiator_www =         10.200.0.80
        initiator_peer =        192.0.2.1
        responder =             198.51.100.1

        ikev2 "www" active proto tcp \
            from $initiator_www port 80 to $responder \
            peer $responder \
            srcid initiator dstid responder \
            tag IPSECWWW

Initiator /etc/pf.conf:

        set block-policy drop
        set loginterface egress
        set skip on lo0

        block all

        pass out quick on { egress enc0 }

        pass in quick on enc0 tagged IPSECWWW
        pass in on egress proto tcp to port ssh
        pass in on egress inet proto icmp all
        pass in on egress inet6 proto ipv6-icmp all

Responder /etc/iked.conf:

        initiator_www =         10.200.0.80
        initiator_peer =        192.0.2.1
        responder =             198.51.100.1

        ikev2 "www" passive proto tcp \
            from $responder to $initiator_www port 80 \
            peer $initiator_peer \
            srcid responder dstid initiator \
            tag IPSECWWW

Responder /etc/pf.conf:

        set block-policy drop
        set loginterface egress
        set skip on lo0

        block log all

        pass out quick on egress

        pass in log on egress proto udp from any to (egress) \
            port { isakmp ipsec-nat-t }
        pass in log on egress proto esp from any to (egress)
        pass in log on enc0 tagged IPSECWWW
        pass out log on enc0

        pass in on egress proto tcp to port { ssh http https }
        pass in on egress inet proto icmp all
        pass in on egress inet6 proto icmp6 all

Reply via email to