Date: Thu, 16 Jan 2020 21:24:47 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org Cc: Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <d263a709-63cf-7da5-1747-8a6791f6503f@grosbein.net> In-Reply-To: <f9b7357e-ced1-4ce5-40d5-8e3dcad42442@yandex.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru> <f9b7357e-ced1-4ce5-40d5-8e3dcad42442@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
16.01.2020 20:39, Andrey V. Elsukov wrote: > I prepared the PoC patch that should fix the problem with TCP and > transport mode IPsec. But I have not free time currently to properly > test and debug it. It is only compile-tested. But If you want, you can > try :) > Currently only IPv4 support is implemented. > > https://people.freebsd.org/~ae/ipsec_transport_mode_ctlinput.diff In fact, I've faced this problem long time ago too and I work around it with different approaches like "ipfw tcp-setmss" (MSS adjust) or by using IPSec transport mode with gif(4) interface removing DF bit out of encapsulated packets. I was going to test your patch with my home router but the patch does not apply to stable/11, at all. Do you have time to adjust it to stable/11 ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d263a709-63cf-7da5-1747-8a6791f6503f>