connection hangs with IPsec

[Hubert Feyrer <hubert%feyrer.de@localhost>]

Subject: connection hangs with IPsec

I'm currently struggling with IPsec, and would like to ask if anyone has 
seen a similar behavior, or can give some debugging hints.

Effect that I see is that connections "hang", often after multiples of 
32768 or 65535kB:

        # ftp -o /tmp/x 
http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/4.0/All/openoffice2-2.4.2.tgz
        Trying 2001:4f8:4:7:230:48ff:fe31:43f2...
        ftp: Connect to address `2001:4f8:4:7:230:48ff:fe31:43f2': No route to 
host
        Trying 204.152.190.13...
        Requesting 
http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/4.0/All/openoffice2-2.4.2.tgz
          0% |                                     | 65536       1.64 KB/s  - 
stalled -^C

The setup here:

 LAN1 - Router1 -----------<Internet>---------- Router2 ------ LAN2 
----<Upstream>
               \                               /
                gre0-------GRE-Tunnel------gre0

The connection between Router1 and Router2 is encrypted with IPsec 
(transport mode), the problem happens both with manually configured keys 
as well as when using Racoon. Both Routers run NetBSD 4.0, Router1 is 
performing NAT with PF.

Connecting from LAN1 to the outside world ("Upstream") works fine via the 
GRE-Tunnel. When enabling IPsec between the two routers, connections to 
the outside hang, both via HTTP and FTP. Pings work fine.

Looking with tcpdump and wireshark, it seems that Router2 is not catching 
up with ACKs to the (outside) servers, and after some time 
(1+2+4+8+16+32+64 seconds, about 2 minutes) the server re-transmits the 
missing packets, at which time the download continues - for another 64KB, 
at which time the delays starts again.

Has anyone seen something similar? Do you have any ideas what to look for? 
The chunksize in which the transfers work make me suspicious (32KB for 
FTP, 64KB for HTTP).

I can provide more details on the setup if required, just let me know.

Thanks!


 - Hubert