IPSec transport mode, mtu, fragmentation...
Andrey V. Elsukov
bu7cher at yandex.ru
Mon Dec 23 09:46:01 UTC 2019
On 23.12.2019 12:39, Andrey V. Elsukov wrote:
> On 20.12.2019 19:22, Victor Sudakov wrote:
>>> What's the root of the problem? ESP packets cannot get fragmented or
>>> what?
>>
>> Wireshark has shown that the "Don't Fragment" flag is set on all ESP
>> (protocol 50) packets. Who does this, why, and how can I switch it off
>> globally?
>
> Hi,
>
> I think this DF flag is originally from TCP packet.
> ESP xform for transport mode just replaces protocol in IP header and
> adds some info to the end of a packet.
This is controlled by net.inet.tcp.path_mtu_discovery variable.
TCP won't set IP_DF flag if you disable this feature.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191223/d7c9208f/attachment.sig>
More information about the freebsd-net
mailing list