[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kernel/4071: Problem with IPsec with NAT (udpencap)
- To: bugs_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org
- Subject: Re: kernel/4071: Problem with IPsec with NAT (udpencap)
- From: Hans-Joerg Hoexer <Hans-Joerg_(_dot_)_Hoexer_(_at_)_yerbouti_(_dot_)_franken_(_dot_)_de>
- Date: Mon, 24 Jan 2005 14:35:02 -0700 (MST)
- Cc:
- Reply-to: Hans-Joerg Hoexer <Hans-Joerg_(_dot_)_Hoexer_(_at_)_yerbouti_(_dot_)_franken_(_dot_)_de>
The following reply was made to PR kernel/4071; it has been noted by GNATS.
From: Hans-Joerg Hoexer <Hans-Joerg_(_dot_)_Hoexer_(_at_)_yerbouti_(_dot_)_franken_(_dot_)_de>
To: Witek <witek2c_(_at_)_poczta_(_dot_)_onet_(_dot_)_pl>
Cc: Hans-Joerg Hoexer <Hans-Joerg_(_dot_)_Hoexer_(_at_)_yerbouti_(_dot_)_franken_(_dot_)_de>,
Markus Friedl <markus_(_at_)_openbsd_(_dot_)_org>, gnats_(_at_)_openbsd_(_dot_)_org
Subject: Re: kernel/4071: Problem with IPsec with NAT (udpencap)
Date: Mon, 24 Jan 2005 22:22:49 +0100
Hi,
On Mon, Jan 24, 2005 at 10:09:26PM +0100, Witek wrote:
> At the first I add 'scrub in all' and 'scrub out all' to the pf.conf on both
> ends of VPN tunnel, but nothing was better. Then I try to apply fix
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ipsec_output.c.diff?r1=1.31&r2=1.32
> and it seems to work !!
> I have to do more tests to be sure it works and what (both or not) is
> necessary to correct this inconvenience.
revision 1.32 of ipsec_output.c is the fix for this problem.
> Have you any suggestions how to perform good test for this problem ?
> Thank you for help.
> Witek
the problem is caused by large packets that need to be fragmented,
ie. ftp download, scp'ing a file, etc. With above diff the MTU is
adjusted correctly and large packets are avoided.
HJ.
Visit your host, monkey.org