Date: Mon, 05 Jan 2015 10:14:59 +0100 From: Harry Schmalzbauer <freebsd@omnilan.de> To: FreeBSD Stable <freebsd-stable@freebsd.org> Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> Subject: PMTU (must fragment) with ipsec [Was: Re: ipsec routing issue] Message-ID: <54AA5613.4050303@omnilan.de> In-Reply-To: <54A1ED2F.2070305@heuristicsystems.com.au> References: <54A17F33.2020708@ish.com.au> <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net> <54A1ED2F.2070305@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Bez=FCglich Dewayne Geraghty's Nachricht vom 30.12.2014 01:09 (localtime= ): > Ari, > > Bjoern offers good advise (as usual). This practical example might Hello, I'm quiet familar with ipsec(4), enc(1) and companions, but I haven't found a way to make routers return ICMP "must fragment" with gif-less tunnels. My last attempt was adding disc(4), assign it a MTU of 1420 and add a static route which points to disc. That works for 'route get remotelan' on the router itself, it's reporting correctly the mtu of 1420, but nevertheless, the router never returns "must fragment" (which I'd need because FreeBSD has PMTU on and we use jumbo frames). Apperently fragementation is handled before packets arrive at the outgoing interface. Of course, kernel policy "steals" the packet before ot reaches "outgoing" state. Do I miss any trick? Thanks, -Harry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54AA5613.4050303>