kern/103135: ipsec with ipfw divert (not NAT) encodes a packet
twice breaking PMTUD
Eugene Grosbein
eugen at kuzbass.ru
Mon Jan 1 01:40:23 PST 2007
The following reply was made to PR kern/103135; it has been noted by GNATS.
From: Eugene Grosbein <eugen at kuzbass.ru>
To: bug-followup at freebsd.org
Cc: julian at elischer.org
Subject: Re: kern/103135: ipsec with ipfw divert (not NAT) encodes a packet twice
breaking PMTUD
Date: Mon, 01 Jan 2007 15:52:26 +0700
Hi!
I've found that when DUMMYNET reinjects a packet to the stack
to pass it over next ipfw rules, it is processed with IPSEC second time too.
And it is encapsulated with ESP sencond time breaking PMTUD, again.
I've found acceptable workaround: we need to say IPSEC code
not to process already encapsulated packets:
spdadd 1.1.1.1/32 2.2.2.2/32 esp -P out none;
Sadly, setkey(8) parser has a bug preventing us from using this workaround.
See http://www.freebsd.org/cgi/query-pr.cgi?pr=107392
for details and trivial patch against setkey.
Eugene
More information about the freebsd-bugs
mailing list