Date: Mon, 23 Dec 2019 12:44:25 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <7cc2f101-c870-c517-8e01-d656079a75be@yandex.ru> In-Reply-To: <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HIqi4YVaYla9a0DB6sND85RxRSVBk6vJ9 Content-Type: multipart/mixed; boundary="ssEhZlwYdO6WvTXOoOpmRuCelT03eakSl"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org Message-ID: <7cc2f101-c870-c517-8e01-d656079a75be@yandex.ru> Subject: Re: IPSec transport mode, mtu, fragmentation... References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> In-Reply-To: <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> --ssEhZlwYdO6WvTXOoOpmRuCelT03eakSl Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 23.12.2019 12:39, Andrey V. Elsukov wrote: > On 20.12.2019 19:22, Victor Sudakov wrote: >>> What's the root of the problem? ESP packets cannot get fragmented or >>> what?=20 >> >> Wireshark has shown that the "Don't Fragment" flag is set on all ESP >> (protocol 50) packets. Who does this, why, and how can I switch it off= >> globally? >=20 > Hi, >=20 > I think this DF flag is originally from TCP packet. > ESP xform for transport mode just replaces protocol in IP header and > adds some info to the end of a packet. This is controlled by net.inet.tcp.path_mtu_discovery variable. TCP won't set IP_DF flag if you disable this feature. --=20 WBR, Andrey V. Elsukov --ssEhZlwYdO6WvTXOoOpmRuCelT03eakSl-- --HIqi4YVaYla9a0DB6sND85RxRSVBk6vJ9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4AjHkACgkQAcXqBBDI oXpOlgf/cwFzaD6WBc5EEDXhKazEd08nXOUh1m+eVqNyZWOMN2FiMcXxr4yrscNO I70cOEVia5SIcV/LtiwK0PnMptj5/eIGkPn8nyX7SslfmQHD1DCBnPaNnjiPBnYI IxD1kSRWgbHlqakUSka375Em3E8ilGkQVUqDVMSM0o29bXkklIxLn/9T1595tBkf +zp8iLOqvfGgKSMcxKjQ4wxbBcAK5RMjjqn2A9+/bvFJ7jSUKTt8KX2oRT2okW8/ 3a/3Eporov8OAjszpTds6GAfz91uQMbnnzFyrxflEJ0+0+ep+/0B6FuWWVx+CQ8p 76qJ24VyePcsKnzT6LE+wofzNNOgVQ== =I2/t -----END PGP SIGNATURE----- --HIqi4YVaYla9a0DB6sND85RxRSVBk6vJ9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7cc2f101-c870-c517-8e01-d656079a75be>