IPSec transport mode, mtu, fragmentation...
Eugene Grosbein
eugen at grosbein.net
Mon Dec 23 10:06:15 UTC 2019
23.12.2019 16:44, Andrey V. Elsukov wrote:
> On 23.12.2019 12:39, Andrey V. Elsukov wrote:
>> On 20.12.2019 19:22, Victor Sudakov wrote:
>>>> What's the root of the problem? ESP packets cannot get fragmented or
>>>> what?
>>>
>>> Wireshark has shown that the "Don't Fragment" flag is set on all ESP
>>> (protocol 50) packets. Who does this, why, and how can I switch it off
>>> globally?
>>
>> Hi,
>>
>> I think this DF flag is originally from TCP packet.
>> ESP xform for transport mode just replaces protocol in IP header and
>> adds some info to the end of a packet.
>
> This is controlled by net.inet.tcp.path_mtu_discovery variable.
> TCP won't set IP_DF flag if you disable this feature.
Disabling PMTUD globally results in small outgoing TCP packets for all connections, encrypted or not.
Performance may degrade.
More information about the freebsd-net
mailing list