[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kernel/4071: Problem with IPsec with NAT (udpencap)



The following reply was made to PR kernel/4071; it has been noted by GNATS.

From: Hans-Joerg Hoexer <Hans-Joerg_(_dot_)_Hoexer_(_at_)_yerbouti_(_dot_)_franken_(_dot_)_de>
To: Witek <witek2c_(_at_)_poczta_(_dot_)_onet_(_dot_)_pl>
Cc: Hans-Joerg Hoexer <Hans-Joerg_(_dot_)_Hoexer_(_at_)_yerbouti_(_dot_)_franken_(_dot_)_de>,
        Markus Friedl <markus_(_at_)_openbsd_(_dot_)_org>, gnats_(_at_)_openbsd_(_dot_)_org
Subject: Re: kernel/4071: Problem with IPsec with NAT (udpencap)
Date: Mon, 24 Jan 2005 22:22:49 +0100

 Hi,
 
 On Mon, Jan 24, 2005 at 10:09:26PM +0100, Witek wrote:
 > At the first I add 'scrub in all' and 'scrub out all' to the pf.conf on both
 > ends of VPN tunnel, but nothing was better. Then I try to apply fix
 > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ipsec_output.c.diff?r1=1.31&r2=1.32
 > and it seems to work !!
 > I have to do more tests to be sure it works and what (both or not) is
 > necessary to correct this inconvenience.
 
 revision 1.32 of ipsec_output.c is the fix for this problem.
 
 > Have you any suggestions how to perform good test for this problem ?
 > Thank you for help.
 > Witek
 
 the problem is caused by large packets that need to be fragmented,
 ie. ftp download, scp'ing a file, etc.  With above diff the MTU is
 adjusted correctly and large packets are avoided.
 
 HJ.