Hello Lucas, as far as I understood, setting MTU on encN interfaces is not supported since it is not mentioned by enc(4) and setting it manually fails:
> machine# ifconfig enc0 mtu 1500 > ifconfig: SIOCSIFMTU: Inappropriate ioctl for device If you do not want to use GRE tunnels or gif interfaces, I suppose truncating MSS via pf might be an acceptable but not elegant solution: > match on enc0 scrub (max-mss 1394) 1394 bytes is intentional as the remote end has an interface MTU of 1488 bytes configured (behind a DSL connection using VLANs). That being said, I bumped into some reproducible but not deterministic crashes which are most likely related to IPsec connections as the same system runs stable using OpenVPN. Please refer to https://marc.info/?l=openbsd-bugs&m=158048415032524&w=2 for further information - unfortunately, there is no solution for this yet. Thanks, and best regards, Peter Müller > Hi misc@, > > I've set up an IPsec tunnel to for serving my website from my home. The > tunnel works quite well most of the time, but if I try to deliver big > files over it, the HTTP client never gets a response. After some > testing, if I ran in the HTTP server end > > perl -e 'print "a" x 1386;' | doas nc -l 10.200.0.80 80 > > client receives 1386 "a"s, but with any bigger size the client sees no > response at all. > > This smells of MTU / fragmentation issues, but I don't know enough about > networks to configure it properly. Is this the case? Any recommendations > on how to configure a sensible value? Any clue sticks? I can bang > different MTUs until it works, but that solution doesn't seem to scale. > You can find my iked and pf configs below. > > Also would like to understand why it happens, so pointers to docs are > more than welcome. > > Thanks in advance, > -Lucas > > Initiator /etc/iked.conf: > > initiator_www = 10.200.0.80 > initiator_peer = 192.0.2.1 > responder = 198.51.100.1 > > ikev2 "www" active proto tcp \ > from $initiator_www port 80 to $responder \ > peer $responder \ > srcid initiator dstid responder \ > tag IPSECWWW > > Initiator /etc/pf.conf: > > set block-policy drop > set loginterface egress > set skip on lo0 > > block all > > pass out quick on { egress enc0 } > > pass in quick on enc0 tagged IPSECWWW > pass in on egress proto tcp to port ssh > pass in on egress inet proto icmp all > pass in on egress inet6 proto ipv6-icmp all > > Responder /etc/iked.conf: > > initiator_www = 10.200.0.80 > initiator_peer = 192.0.2.1 > responder = 198.51.100.1 > > ikev2 "www" passive proto tcp \ > from $responder to $initiator_www port 80 \ > peer $initiator_peer \ > srcid responder dstid initiator \ > tag IPSECWWW > > Responder /etc/pf.conf: > > set block-policy drop > set loginterface egress > set skip on lo0 > > block log all > > pass out quick on egress > > pass in log on egress proto udp from any to (egress) \ > port { isakmp ipsec-nat-t } > pass in log on egress proto esp from any to (egress) > pass in log on enc0 tagged IPSECWWW > pass out log on enc0 > > pass in on egress proto tcp to port { ssh http https } > pass in on egress inet proto icmp all > pass in on egress inet6 proto icmp6 all >