PMTU (must fragment) with ipsec [Was: Re: ipsec routing issue]
Harry Schmalzbauer
freebsd at omnilan.de
Mon Jan 5 09:15:05 UTC 2015
Bezüglich Dewayne Geraghty's Nachricht vom 30.12.2014 01:09 (localtime):
> Ari,
>
> Bjoern offers good advise (as usual). This practical example might
Hello,
I'm quiet familar with ipsec(4), enc(1) and companions, but I haven't
found a way to make routers return ICMP "must fragment" with gif-less
tunnels.
My last attempt was adding disc(4), assign it a MTU of 1420 and add a
static route which points to disc.
That works for 'route get remotelan' on the router itself, it's
reporting correctly the mtu of 1420, but nevertheless, the router never
returns "must fragment" (which I'd need because FreeBSD has PMTU on and
we use jumbo frames).
Apperently fragementation is handled before packets arrive at the
outgoing interface. Of course, kernel policy "steals" the packet before
ot reaches "outgoing" state.
Do I miss any trick?
Thanks,
-Harry
More information about the freebsd-stable
mailing list