tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

connection hangs with IPsec

Subject: connection hangs with IPsec

I'm currently struggling with IPsec, and would like to ask if anyone has seen a similar behavior, or can give some debugging hints.

Effect that I see is that connections "hang", often after multiples of 32768 or 65535kB:

        # ftp -o /tmp/x
        Trying 2001:4f8:4:7:230:48ff:fe31:43f2...
        ftp: Connect to address `2001:4f8:4:7:230:48ff:fe31:43f2': No route to 
          0% |                                     | 65536       1.64 KB/s  - 
stalled -^C

The setup here:

 LAN1 - Router1 -----------<Internet>---------- Router2 ------ LAN2 
               \                               /

The connection between Router1 and Router2 is encrypted with IPsec (transport mode), the problem happens both with manually configured keys as well as when using Racoon. Both Routers run NetBSD 4.0, Router1 is performing NAT with PF.

Connecting from LAN1 to the outside world ("Upstream") works fine via the GRE-Tunnel. When enabling IPsec between the two routers, connections to the outside hang, both via HTTP and FTP. Pings work fine.

Looking with tcpdump and wireshark, it seems that Router2 is not catching up with ACKs to the (outside) servers, and after some time (1+2+4+8+16+32+64 seconds, about 2 minutes) the server re-transmits the missing packets, at which time the download continues - for another 64KB, at which time the delays starts again.

Has anyone seen something similar? Do you have any ideas what to look for? The chunksize in which the transfers work make me suspicious (32KB for FTP, 64KB for HTTP).

I can provide more details on the setup if required, just let me know.


 - Hubert

Home | Main Index | Thread Index | Old Index