From owner-freebsd-bugs@FreeBSD.ORG  Mon Jan  1 09:40:23 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 531BA16A4FB
	for <freebsd-bugs@hub.freebsd.org>;
	Mon,  1 Jan 2007 09:40:23 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 032C313C45D
	for <freebsd-bugs@hub.freebsd.org>;
	Mon,  1 Jan 2007 09:40:23 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l019eMHs040662
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 1 Jan 2007 09:40:22 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l019eMu3040661;
	Mon, 1 Jan 2007 09:40:22 GMT (envelope-from gnats)
Date: Mon, 1 Jan 2007 09:40:22 GMT
Message-Id: <200701010940.l019eMu3040661@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Eugene Grosbein <eugen@kuzbass.ru>
Cc: 
Subject: Re: kern/103135: ipsec with ipfw divert (not NAT) encodes a packet
 twice breaking PMTUD
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Eugene Grosbein <eugen@kuzbass.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jan 2007 09:40:23 -0000

The following reply was made to PR kern/103135; it has been noted by GNATS.

From: Eugene Grosbein <eugen@kuzbass.ru>
To: bug-followup@freebsd.org
Cc: julian@elischer.org
Subject: Re: kern/103135: ipsec with ipfw divert (not NAT) encodes a packet twice 
 breaking PMTUD
Date: Mon, 01 Jan 2007 15:52:26 +0700

 Hi!
 
 I've found that when DUMMYNET reinjects a packet to the stack
 to pass it over next ipfw rules, it is processed with IPSEC second time too.
 And it is encapsulated with ESP sencond time breaking PMTUD, again.
 
 I've found acceptable workaround: we need to say IPSEC code
 not to process already encapsulated packets:
 
 spdadd 1.1.1.1/32 2.2.2.2/32 esp -P out none;
 
 Sadly, setkey(8) parser has a bug preventing us from using this workaround.
 See http://www.freebsd.org/cgi/query-pr.cgi?pr=107392
 for details and trivial patch against setkey.
 
 Eugene