From owner-freebsd-stable@FreeBSD.ORG Wed Jan 14 21:12:57 2015 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DC10EC4 for ; Wed, 14 Jan 2015 21:12:57 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AC76BC07 for ; Wed, 14 Jan 2015 21:12:57 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id BEF4C21D15 for ; Wed, 14 Jan 2015 16:12:56 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Wed, 14 Jan 2015 16:12:56 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=jm8WCNTtPPGy/7bqGLgfvZEk ER0=; b=ZasXO4JCdCUmZz51Usl+6AaJYUycsUrBQlEJKywZU2uStYPJ2NeCEKaJ h0FToj4KkpgQxfM8YgBKpUwR6ropVaIsqRyW0ig4Jt24/WKK8ylzPoBPqhFECEh5 HBoLopoYJawbXTOrasRtaTy7FmkOCTuqCZc4Sp7lz79/F8RC5zk= Received: by web3.nyi.internal (Postfix, from userid 99) id 9AC9411054C; Wed, 14 Jan 2015 16:12:56 -0500 (EST) Message-Id: <1421269976.1116901.213997149.582CB93B@webmail.messagingengine.com> X-Sasl-Enc: 6ODmneHGYHkSzS9kMb00XjkF129T4uT5BVIwU72gIPvh 1421269976 From: Mark Felder To: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="ISO-8859-1" X-Mailer: MessagingEngine.com Webmail Interface - ajax-46f3f2c7 In-Reply-To: <54AA5613.4050303@omnilan.de> References: <54A17F33.2020708@ish.com.au> <54A1ED2F.2070305@heuristicsystems.com.au> <54AA5613.4050303@omnilan.de> Subject: Re: PMTU (must fragment) with ipsec [Was: Re: ipsec routing issue] Date: Wed, 14 Jan 2015 15:12:56 -0600 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2015 21:12:57 -0000 On Mon, Jan 5, 2015, at 03:14, Harry Schmalzbauer wrote: > Bez=FCglich Dewayne Geraghty's Nachricht vom 30.12.2014 01:09 (localtime= ): > > Ari, > > > > Bjoern offers good advise (as usual). This practical example might >=20 > Hello, >=20 > I'm quiet familar with ipsec(4), enc(1) and companions, but I haven't > found a way to make routers return ICMP "must fragment" with gif-less > tunnels. > My last attempt was adding disc(4), assign it a MTU of 1420 and add a > static route which points to disc. > That works for 'route get remotelan' on the router itself, it's > reporting correctly the mtu of 1420, but nevertheless, the router never > returns "must fragment" (which I'd need because FreeBSD has PMTU on and > we use jumbo frames). > Apperently fragementation is handled before packets arrive at the > outgoing interface. Of course, kernel policy "steals" the packet before > ot reaches "outgoing" state. > Do I miss any trick? > You can apply an MTU to a route instead of an interface, so perhaps that would work better? Just add -mtu 1420 at the end of your route statement and it will work its magic. :-)