Richard Andrews wrote:
I'm load testing a kernel mode IPsec setup. When
IKE SAs renegotiate
one or two IP packets get sent on the default route but after the
tunnel is back up the TCP connection remains stuck on the default
route by-passing xfrm policy until the TCP connection closes from
Ping is not affected the same way. It uses the tunnel as soon as a new
child SA is up (even while TCP is broken).
The next TCP connection uses the tunnel immediately.
Random not-very-good thoughts:
- presumably ICMP works because it's connectionless. Confirm by
testing if UDP also does the Right Thing.
- RPF? During transition, perhaps RPF is dropping a small segment
of the TCP conversation. Test by turning off RPF.
- likewise test w/ minimal or no firewall, policy routing, &c
tcpdump on all hosts you have access to