Date: Thu, 15 Jan 2015 10:07:12 +0100 From: Harald Schmalzbauer <h.schmalzbauer@omnilan.de> To: Mark Felder <feld@freebsd.org> Cc: freebsd-stable@freebsd.org Subject: Re: PMTU (must fragment) with ipsec [Was: Re: ipsec routing issue] Message-ID: <54B78340.8090806@omnilan.de> In-Reply-To: <1421269976.1116901.213997149.582CB93B@webmail.messagingengine.com> References: <54A17F33.2020708@ish.com.au> <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net> <54A1ED2F.2070305@heuristicsystems.com.au> <54AA5613.4050303@omnilan.de> <1421269976.1116901.213997149.582CB93B@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4892B0CC6ADC31C6ED5AB460 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Bez=FCglich Mark Felder's Nachricht vom 14.01.2015 22:12 (localtime): =85 >> My last attempt was adding disc(4), assign it a MTU of 1420 and add a >> static route which points to disc. >> That works for 'route get remotelan' on the router itself, it's >> reporting correctly the mtu of 1420, but nevertheless, the router neve= r >> returns "must fragment" (which I'd need because FreeBSD has PMTU on an= d >> we use jumbo frames). >> Apperently fragementation is handled before packets arrive at the >> outgoing interface. Of course, kernel policy "steals" the packet befor= e >> ot reaches "outgoing" state. >> Do I miss any trick? >> > You can apply an MTU to a route instead of an interface, so perhaps tha= t > would work better? Just add -mtu 1420 at the end of your route statemen= t > and it will work its magic. :-) Thanks for the hint! But essentially the same happens for both types of MTU propagation. The local routing table forces packet length for outgoing packets on the router. In the gif(4)-less IPSec-tunnel scenario, there is no "outgoing" packet on the router. So hosts which forward packets to the router will never receive a "must fragement" icmp answer to packets larger than the MTU set on the router. I had to set the MTU on every single client in the lan=85 Not what I'm looking for, I'd like to get my router informing clients! I still have no idea how to accomplish :-( Thanks for further hints in advance, -Harry --------------enig4892B0CC6ADC31C6ED5AB460 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAlS3g0AACgkQLDqVQ9VXb8hp7gCfSg7NYOcJYMWl3ZvdOux6qX5Q DsAAnRBQ2UMSo+fauB8CnEC+UKHK4chr =3vhG -----END PGP SIGNATURE----- --------------enig4892B0CC6ADC31C6ED5AB460--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54B78340.8090806>