Bug 195969

Summary: ipsec icmp and udp works, tcp doesn't work
Product: Networking Reporter: djagoo (dev)
Component: OtherAssignee: Stephen Hemminger (stephen)
Status: RESOLVED PATCH_ALREADY_AVAILABLE    
Severity: normal CC: dev, rocketraman, shieldwed, tobias.koeck
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.11.3-1-ARCH Subsystem:
Regression: No Bisected commit-id:

Description djagoo 2017-06-03 06:25:05 UTC 
A few days ago I updated to 4.11.3-1-ARCH. After that my VPN access to our corporate network was broken.

The connection is established and I can use UDP (i.e. DNS) and ICMP. All TCP connections I tried (ssh, smb, http...) failed.

On the AUR page "MartinDiehl commented on 2017-05-25 19:57" the same error. 

https://aur.archlinux.org/packages/strongswan/

And I found a bug report on redhat bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1458222
Comment 1 djagoo 2017-06-07 12:22:29 UTC 
This patch solved it for me:

https://patchwork.ozlabs.org/patch/772206/
Comment 2 Tobias Koeck 2017-06-13 09:41:17 UTC 
A fix for the problem in the official kernel would be great.
Comment 3 djagoo 2017-06-16 14:49:38 UTC 
Yes, would be great. Today I updated to 4.11.5 and the error is back again. Please fix in Kernel.
Comment 4 Raman Gupta 2017-06-29 22:04:24 UTC 
I am using 4.11.6-201.fc25.x86_64 which apparently has the patch above.

Yet I still have an issue with strongswan/ipsec. ICMP, SSH work perfectly fine. However, in some cases (HTTP) I can make a connection to the remote server, the remote server receives my data, sends back a response, but the response packets are never received by my client.
Comment 5 Raman Gupta 2017-06-29 22:05:39 UTC 
(In reply to Raman Gupta from comment #4)
> I am using 4.11.6-201.fc25.x86_64 which apparently has the patch above.
> 
> Yet I still have an issue with strongswan/ipsec. ICMP, SSH work perfectly
> fine. However, in some cases (HTTP) I can make a connection to the remote
> server, the remote server receives my data, sends back a response, but the
> response packets are never received by my client.

I'll further note I have no idea why some TCP connections work (SSH) and others don't (HTTP).
Comment 6 djagoo 2017-07-07 05:18:48 UTC 
Today I updated to 4.11.9-1-ARCH and the error seems to be fixed.