Hubert Feyrer
2009-01-19 16:39:37 UTC
Subject: connection hangs with IPsec
I'm currently struggling with IPsec, and would like to ask if anyone has
seen a similar behavior, or can give some debugging hints.
Effect that I see is that connections "hang", often after multiples of
32768 or 65535kB:
# ftp -o /tmp/x http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/4.0/All/openoffice2-2.4.2.tgz
Trying 2001:4f8:4:7:230:48ff:fe31:43f2...
ftp: Connect to address `2001:4f8:4:7:230:48ff:fe31:43f2': No route to host
Trying 204.152.190.13...
Requesting http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/4.0/All/openoffice2-2.4.2.tgz
0% | | 65536 1.64 KB/s - stalled -^C
The setup here:
LAN1 - Router1 -----------<Internet>---------- Router2 ------ LAN2 ----<Upstream>
\ /
gre0-------GRE-Tunnel------gre0
The connection between Router1 and Router2 is encrypted with IPsec
(transport mode), the problem happens both with manually configured keys
as well as when using Racoon. Both Routers run NetBSD 4.0, Router1 is
performing NAT with PF.
Connecting from LAN1 to the outside world ("Upstream") works fine via the
GRE-Tunnel. When enabling IPsec between the two routers, connections to
the outside hang, both via HTTP and FTP. Pings work fine.
Looking with tcpdump and wireshark, it seems that Router2 is not catching
up with ACKs to the (outside) servers, and after some time
(1+2+4+8+16+32+64 seconds, about 2 minutes) the server re-transmits the
missing packets, at which time the download continues - for another 64KB,
at which time the delays starts again.
Has anyone seen something similar? Do you have any ideas what to look for?
The chunksize in which the transfers work make me suspicious (32KB for
FTP, 64KB for HTTP).
I can provide more details on the setup if required, just let me know.
Thanks!
- Hubert
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
I'm currently struggling with IPsec, and would like to ask if anyone has
seen a similar behavior, or can give some debugging hints.
Effect that I see is that connections "hang", often after multiples of
32768 or 65535kB:
# ftp -o /tmp/x http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/4.0/All/openoffice2-2.4.2.tgz
Trying 2001:4f8:4:7:230:48ff:fe31:43f2...
ftp: Connect to address `2001:4f8:4:7:230:48ff:fe31:43f2': No route to host
Trying 204.152.190.13...
Requesting http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/4.0/All/openoffice2-2.4.2.tgz
0% | | 65536 1.64 KB/s - stalled -^C
The setup here:
LAN1 - Router1 -----------<Internet>---------- Router2 ------ LAN2 ----<Upstream>
\ /
gre0-------GRE-Tunnel------gre0
The connection between Router1 and Router2 is encrypted with IPsec
(transport mode), the problem happens both with manually configured keys
as well as when using Racoon. Both Routers run NetBSD 4.0, Router1 is
performing NAT with PF.
Connecting from LAN1 to the outside world ("Upstream") works fine via the
GRE-Tunnel. When enabling IPsec between the two routers, connections to
the outside hang, both via HTTP and FTP. Pings work fine.
Looking with tcpdump and wireshark, it seems that Router2 is not catching
up with ACKs to the (outside) servers, and after some time
(1+2+4+8+16+32+64 seconds, about 2 minutes) the server re-transmits the
missing packets, at which time the download continues - for another 64KB,
at which time the delays starts again.
Has anyone seen something similar? Do you have any ideas what to look for?
The chunksize in which the transfers work make me suspicious (32KB for
FTP, 64KB for HTTP).
I can provide more details on the setup if required, just let me know.
Thanks!
- Hubert
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de