Date: Mon, 23 Dec 2019 17:05:48 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <d1c6615d-5f87-02f9-17cb-217edaf97939@grosbein.net> In-Reply-To: <7cc2f101-c870-c517-8e01-d656079a75be@yandex.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <7cc2f101-c870-c517-8e01-d656079a75be@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
23.12.2019 16:44, Andrey V. Elsukov wrote: > On 23.12.2019 12:39, Andrey V. Elsukov wrote: >> On 20.12.2019 19:22, Victor Sudakov wrote: >>>> What's the root of the problem? ESP packets cannot get fragmented or >>>> what? >>> >>> Wireshark has shown that the "Don't Fragment" flag is set on all ESP >>> (protocol 50) packets. Who does this, why, and how can I switch it off >>> globally? >> >> Hi, >> >> I think this DF flag is originally from TCP packet. >> ESP xform for transport mode just replaces protocol in IP header and >> adds some info to the end of a packet. > > This is controlled by net.inet.tcp.path_mtu_discovery variable. > TCP won't set IP_DF flag if you disable this feature. Disabling PMTUD globally results in small outgoing TCP packets for all connections, encrypted or not. Performance may degrade.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d1c6615d-5f87-02f9-17cb-217edaf97939>