kern/103135: ipsec with ipfw divert (not NAT) encodes a packet
twice breaking PMTUD
eugen at kuzbass.ru
Mon Jan 1 01:40:23 PST 2007
The following reply was made to PR kern/103135; it has been noted by GNATS.
From: Eugene Grosbein <eugen at kuzbass.ru>
To: bug-followup at freebsd.org
Cc: julian at elischer.org
Subject: Re: kern/103135: ipsec with ipfw divert (not NAT) encodes a packet twice
Date: Mon, 01 Jan 2007 15:52:26 +0700
I've found that when DUMMYNET reinjects a packet to the stack
to pass it over next ipfw rules, it is processed with IPSEC second time too.
And it is encapsulated with ESP sencond time breaking PMTUD, again.
I've found acceptable workaround: we need to say IPSEC code
not to process already encapsulated packets:
spdadd 220.127.116.11/32 18.104.22.168/32 esp -P out none;
Sadly, setkey(8) parser has a bug preventing us from using this workaround.
for details and trivial patch against setkey.
More information about the freebsd-bugs