Date: Wed, 14 Jan 2015 15:12:56 -0600 From: Mark Felder <feld@FreeBSD.org> To: freebsd-stable@freebsd.org Subject: Re: PMTU (must fragment) with ipsec [Was: Re: ipsec routing issue] Message-ID: <1421269976.1116901.213997149.582CB93B@webmail.messagingengine.com> In-Reply-To: <54AA5613.4050303@omnilan.de> References: <54A17F33.2020708@ish.com.au> <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net> <54A1ED2F.2070305@heuristicsystems.com.au> <54AA5613.4050303@omnilan.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 5, 2015, at 03:14, Harry Schmalzbauer wrote: > Bez=FCglich Dewayne Geraghty's Nachricht vom 30.12.2014 01:09 (localtime= ): > > Ari, > > > > Bjoern offers good advise (as usual). This practical example might >=20 > Hello, >=20 > I'm quiet familar with ipsec(4), enc(1) and companions, but I haven't > found a way to make routers return ICMP "must fragment" with gif-less > tunnels. > My last attempt was adding disc(4), assign it a MTU of 1420 and add a > static route which points to disc. > That works for 'route get remotelan' on the router itself, it's > reporting correctly the mtu of 1420, but nevertheless, the router never > returns "must fragment" (which I'd need because FreeBSD has PMTU on and > we use jumbo frames). > Apperently fragementation is handled before packets arrive at the > outgoing interface. Of course, kernel policy "steals" the packet before > ot reaches "outgoing" state. > Do I miss any trick? > You can apply an MTU to a route instead of an interface, so perhaps that would work better? Just add -mtu 1420 at the end of your route statement and it will work its magic. :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1421269976.1116901.213997149.582CB93B>