From owner-freebsd-net@FreeBSD.ORG  Mon Oct 30 13:23:51 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A1F2716A407;
	Mon, 30 Oct 2006 13:23:51 +0000 (UTC)
	(envelope-from khetan@os.org.za)
Received: from gauntlet.os.org.za (gauntlet.os.org.za [196.35.70.242])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 590D443D60;
	Mon, 30 Oct 2006 13:23:45 +0000 (GMT)
	(envelope-from khetan@os.org.za)
Received: from localhost (localhost [127.0.0.1])
	by gauntlet.os.org.za (Postfix) with ESMTP id 897FD67970;
	Mon, 30 Oct 2006 15:23:39 +0200 (SAST)
X-Virus-Scanned: amavisd-new at os.org.za
Received: from gauntlet.os.org.za ([127.0.0.1])
	by localhost (gauntlet.os.org.za [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id dTBzG0IdQS2f; Mon, 30 Oct 2006 15:23:33 +0200 (SAST)
Received: from gauntlet.os.org.za (gauntlet.os.org.za [196.35.70.242])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested) (Authenticated sender: khetan)
	by gauntlet.os.org.za (Postfix) with ESMTP id 7F0BC67968;
	Mon, 30 Oct 2006 15:23:33 +0200 (SAST)
Date: Mon, 30 Oct 2006 15:23:33 +0200 (SAST)
From: Khetan Gajjar <khetan@os.org.za>
To: gnn@freebsd.org
In-Reply-To: <m2k62iksd5.wl%gnn@neville-neil.com>
Message-ID: <20061030145256.A2293@gauntlet.os.org.za>
References: <20061027203322.X2293@gauntlet.os.org.za>
	<m2k62iksd5.wl%gnn@neville-neil.com>
X-Alternate-From: Khetan Gajjar <khetan@os.org.za>
X-Mobile: +27 82 885 4047
X-URL: http://khetan.gajjar.co.za/
X-Attribute-1: BOFH
X-Attribute-2: the righteous bastard with a finger on The Switch
X-Message-flag: This message sponsored by Internet Solutions.
X-PGP-KeyID: 0x806AD0D9
X-PGP-Fingerprint: 19 29 68 D5 74 2B 6E E5  1B 88 45 3B 29 0B 8A 27
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-net@freebsd.org
Subject: Re: Path MTU discovery broken in IPSec
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2006 13:23:51 -0000

Hi George.

Around Today, "gnn@freebsd.org" wrote :

>  I'm confused as to why you attribute this to PMTU discovery.  Do you
>  see ICMP errors indicating that?  Have you run traceroutes in both
>  directions from each host?

Thanks for your response. I have tried aliased IP's on the machines
which are not IPSec encrypted, which seem to allow the traffic to
flow without stalling. It appears to be only IPSec traffic that
fails. I don't see ICMP errors on either host when using the IPSec
tunnels.

There are no firewall rules that are specific to the IPSec tunnels.
This, combined with the fact that small data transfer sessions
across the IPSec tunnels work but small ones don't lead me to believe
this could be a PMTU issue within the IPSec tunnel.

Khetan Gajjar.
--
khetan@os.org.za
+27 82 885 4047