From owner-freebsd-stable@FreeBSD.ORG  Mon Jan  5 09:15:05 2015
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 0B87F1CC
 for <freebsd-stable@freebsd.org>; Mon,  5 Jan 2015 09:15:05 +0000 (UTC)
Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 8C38B64206
 for <freebsd-stable@freebsd.org>; Mon,  5 Jan 2015 09:15:04 +0000 (UTC)
Received: from mh0.gentlemail.de (ezra.dcm1.omnilan.net [78.138.80.135])
 by mx0.gentlemail.de (8.14.5/8.14.5) with ESMTP id t059F0mI008834;
 Mon, 5 Jan 2015 10:15:00 +0100 (CET)
 (envelope-from freebsd@omnilan.de)
Received: from titan.inop.mo1.omnilan.net (titan.inop.mo1.omnilan.net
 [IPv6:2001:a60:f0bb:1::3:1])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mh0.gentlemail.de (Postfix) with ESMTPSA id DEE2022A;
 Mon,  5 Jan 2015 10:14:59 +0100 (CET)
Message-ID: <54AA5613.4050303@omnilan.de>
Date: Mon, 05 Jan 2015 10:14:59 +0100
From: Harry Schmalzbauer <freebsd@omnilan.de>
Organization: OmniLAN
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE;
 rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: FreeBSD Stable <freebsd-stable@freebsd.org>
Subject: PMTU (must fragment) with ipsec [Was: Re: ipsec routing issue]
References: <54A17F33.2020708@ish.com.au>
 <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net>
 <54A1ED2F.2070305@heuristicsystems.com.au>
In-Reply-To: <54A1ED2F.2070305@heuristicsystems.com.au>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Greylist: ACL 119 matched, not delayed by milter-greylist-4.2.7
 (mx0.gentlemail.de [78.138.80.130]); Mon, 05 Jan 2015 10:15:01 +0100 (CET)
X-Milter: Spamilter (Reciever: mx0.gentlemail.de; Sender-ip: 78.138.80.135;
 Sender-helo: mh0.gentlemail.de; )
Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>,
 Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 09:15:05 -0000

 Bez=FCglich Dewayne Geraghty's Nachricht vom 30.12.2014 01:09 (localtime=
):
> Ari,
>
> Bjoern offers good advise (as usual).  This practical example might

Hello,

I'm quiet familar with ipsec(4), enc(1) and companions, but I haven't
found a way to make routers return ICMP "must fragment" with gif-less
tunnels.
My last attempt was adding disc(4), assign it a MTU of 1420 and add a
static route which points to disc.
That works for 'route get remotelan' on the router itself, it's
reporting correctly the mtu of 1420, but nevertheless, the router never
returns "must fragment" (which I'd need because FreeBSD has PMTU on and
we use jumbo frames).
Apperently fragementation is handled before packets arrive at the
outgoing interface. Of course, kernel policy "steals" the packet before
ot reaches "outgoing" state.
Do I miss any trick?

Thanks,

-Harry