Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Mon, 16 Dec 2002 07:39:38 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Mon, 16 Dec 2002 07:39:38 -0500 Received: from iafilius.xs4all.nl ([213.84.160.212]:21120 "EHLO sjoerd.sjoerdnet") by vger.kernel.org with ESMTP id ; Mon, 16 Dec 2002 07:39:36 -0500 Date: Mon, 16 Dec 2002 13:47:26 +0100 (CET) From: Arjan Filius X-X-Sender: arjan@sjoerd.sjoerdnet Reply-To: Arjan Filius To: linux-kernel@vger.kernel.org Subject: 2.5.50 ipsec -> kernel: pmtu discvovery on SA AH/00003d54/ac110032 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3069 Lines: 88 Hello, While using IPSEC in tunnel mode with kernel 2.5.50 and up i get on the ipsec gateway kernel messages like: Dec 15 19:46:05 sjoerd kernel: pmtu discvovery on SA AH/00003d54/ac110032 And my sessions just "hangs". I can reproduce it when requiring the gateway send large enough amount of data to the client for example logged in with ssh on gateway and do a `cat /var/log/messages`. Same effect, when trying with a host behind the gateway. However, when i don't use ipsec tunnel mode (transport) i can't reproduce it, and also not without ipsec. Any help here? At least i found out that a: iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300 Does the trick (on the gateway) after some searches about ipsec and mtu problems. Manual changing mtu sizes seems not to resolve my problem. Is this a nonimplemented ipsec-fragmentation issue? Note i'm useing 801.1q on the gateway, and the client is in a vlan behind a vlan-enabled c3548Xl switch, which is normally operating OK. vlan100 is with 802.1q on eth0 (note same MAC, but different manual MTU) eth0 Link encap:Ethernet HWaddr 00:00:AF:00:00:00 inet addr:172.16.0.1 Bcast:172.16.255.255 Mask:255.255.0.0 inet6 addr: fe80::200:afff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:9000 Metric:1 RX packets:23417 errors:0 dropped:0 overruns:0 frame:0 TX packets:1300 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1540693 (1.4 Mb) TX bytes:203391 (198.6 Kb) Interrupt:10 sjoerd:/images/kernel/linux-2.5.52 # ifconfig vlan100 vlan100 Link encap:Ethernet HWaddr 00:00:AF:00:00:00 inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0 inet6 addr: fe80::200:afff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1567 errors:0 dropped:0 overruns:0 frame:0 TX packets:213 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:108910 (106.3 Kb) TX bytes:39427 (38.5 Kb) And using on the gateway to set up ipsec: #!/sbin/setkey -f flush; spdflush; # AH add 172.17.0.1 172.17.0.50 ah 15700 -A hmac-md5 "****************"; add 172.17.0.50 172.17.0.1 ah 24500 -A hmac-md5 "****************"; # ESP add 172.17.0.1 172.17.0.50 esp 15701 -m tunnel -E 3des-cbc "************************"; add 172.17.0.50 172.17.0.1 esp 24501 -m tunnel -E 3des-cbc "************************"; spdadd 0.0.0.0/0 172.17.0.50 any -P out ipsec esp/tunnel/172.17.0.1-172.17.0.50/require ah/transport//require; spdadd 172.17.0.50 0.0.0.0/0 any -P in ipsec esp/tunnel/172.17.0.50-172.17.0.1/require ah/transport//require; -- Arjan Filius mailto:iafilius@xs4all.nl - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/