Re: IPSec traffic stalls with large chunks of data

[Matthew Closson]

On Mon, 24 Jul 2006, Heinrich Rebehn wrote:

Hi list,

I am running into a strange problem with IPSec, MTU? fragmentation? which i am unable to resolve.

My Setup:

@home i have one PC which connects to our institute network with IPSec. The PC connects to the internet via a DSL modem using Linux/PPPoE or Windows XP/SP2. This has been running fine for years now.

Last week i bought a Netgear WTG624V3 WLAN router in order to allow our notebook to connect to the internet too.

This router is now connected between the PC and the DSL modem and does the job of bringing up the internet connection with PPPoE.

IPSec from my PC still works, but the symptoms are as follows:

- The tunnel is brought up and i can use it to ssh to our institute's firewall/ipsec gateway. On the gateway (OpenBSD 3.8), i can work in the shell as long as i want, but as soon as i do a "ls -lR /" or something else that produces large output, the connection is stalled.

However,the tunnel is still usable, i can do a 2nd ssh and continue working.
This leads me to the conclusion that it cannot be a rekeying issue.
Under the second login, i can see both connections:

[EMAIL PROTECTED] [~]# netstat -anptcp | grep 192.168.1.2
tcp        0     48  134.102.176.250.22     192.168.1.2.40010 ESTABLISHED
tcp        0  16304  134.102.176.250.22     192.168.1.2.40009 ESTABLISHED

All MTUs (PC, WLAN router, firewall) are set to 1500.

I played with max-mss in pf.conf, as was suggested on the misc@ ML:

        scrub in on enc0 all max-mss 1318

but it did not help.

Parallel to the "ls -lR /" mentioned above, i did a tcpdump on the firewall's external if, which can be found at:

        http://www.ant.uni-bremen.de/~rebehn/vlan1.dump

The dump shows that fragmentation does occur.

The same symptom can also be observed when connecting to our www server behind the firewall, very small pages are displayed, bigger ones get stalled.

Can anyone help me on this? I am not familiar with the internals of TCP/IP, especially MTUs and fragmentation.

If you need isakmpd.conf, pf.conf or anything else, please let me know.

Thanks for any help,

        Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :            -3341

http://archives.neohapsis.com/archives/openbsd/2006-06/1666.html