
Richard Andrews wrote:
I'm load testing a kernel mode IPsec setup. When IKE SAs renegotiate one or two IP packets get sent on the default route but after the tunnel is back up the TCP connection remains stuck on the default route by-passing xfrm policy until the TCP connection closes from retransmission failures.
Ping is not affected the same way. It uses the tunnel as soon as a new child SA is up (even while TCP is broken). The next TCP connection uses the tunnel immediately.
Random not-very-good thoughts: - presumably ICMP works because it's connectionless. Confirm by testing if UDP also does the Right Thing. - RPF? During transition, perhaps RPF is dropping a small segment of the TCP conversation. Test by turning off RPF. - likewise test w/ minimal or no firewall, policy routing, &c tcpdump on all hosts you have access to