From owner-freebsd-net@FreeBSD.ORG Mon Jan 9 22:42:59 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AB2A16A41F for ; Mon, 9 Jan 2006 22:42:59 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC05C43D45 for ; Mon, 9 Jan 2006 22:42:58 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp1-g19.free.fr (Postfix) with ESMTP id BC6596924B; Mon, 9 Jan 2006 23:42:57 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 24A4C9B85B; Mon, 9 Jan 2006 22:42:58 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 0B5FD405A; Mon, 9 Jan 2006 23:42:58 +0100 (CET) Date: Mon, 9 Jan 2006 23:42:57 +0100 From: Jeremie Le Hen To: nielsen@memberwebs.com Message-ID: <20060109224257.GX90495@obiwan.tataz.chchile.org> References: <20060104181309.8C756DCA990@mail.npubs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060104181309.8C756DCA990@mail.npubs.com> User-Agent: Mutt/1.5.11 Cc: freebsd-net@freebsd.org Subject: Re: [fbsd] Problem with PMTU Discovery / DF / IPSEC / GIF Tunnels (FreeBSD 6.0 patch) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2006 22:42:59 -0000 Hi, Nate, > I encountered a strange problem with PMTU discovery not working properly > on various machines when the packets were tunneled over a GIF / IPSEC > Transport type tunnel (both ends running FreeBSD 6.0). Configuration > files attached. > > Various older FreeBSD systems (it seemed systems that had jails running) > and also Windows Virtual Machines running in Microsoft's Virtual Server > 2005 system, did not perform PMTU discovery properly. > > The FreeBSD 6.0 routers were sending out ICMP host-unreachable > need-fragment packets without an MTU hint. Most machines handle this > fine, but the ones noted above did not decrease PMTU for the connection. > > The attached patch makes sure that the FreeBSD 6.0 router will include > an MTU hint in the ICMP packet. The problem was caused by the IPSec > lookup in ip_forward() returning an secpolicy pointer, but then that > pointer having no details (such as request, etc...) contained in it. The > attached patch (against 6.0) covers that eventuality. > > The 'bug' is obviously in the machines that don't handle the missing MTU > hint properly, but since we can't patch Windows, this patch helps > alleviate the problem from the other side. Thank you for fixing this ! I have been puzzled for month with this. I hope to see it commited soon. Best regards. -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >