PMTU (must fragment) with ipsec [Was: Re: ipsec routing issue]
Mark Felder
feld at FreeBSD.org
Wed Jan 14 21:12:57 UTC 2015
On Mon, Jan 5, 2015, at 03:14, Harry Schmalzbauer wrote:
> Bezüglich Dewayne Geraghty's Nachricht vom 30.12.2014 01:09 (localtime):
> > Ari,
> >
> > Bjoern offers good advise (as usual). This practical example might
>
> Hello,
>
> I'm quiet familar with ipsec(4), enc(1) and companions, but I haven't
> found a way to make routers return ICMP "must fragment" with gif-less
> tunnels.
> My last attempt was adding disc(4), assign it a MTU of 1420 and add a
> static route which points to disc.
> That works for 'route get remotelan' on the router itself, it's
> reporting correctly the mtu of 1420, but nevertheless, the router never
> returns "must fragment" (which I'd need because FreeBSD has PMTU on and
> we use jumbo frames).
> Apperently fragementation is handled before packets arrive at the
> outgoing interface. Of course, kernel policy "steals" the packet before
> ot reaches "outgoing" state.
> Do I miss any trick?
>
You can apply an MTU to a route instead of an interface, so perhaps that
would work better? Just add -mtu 1420 at the end of your route statement
and it will work its magic. :-)
More information about the freebsd-stable
mailing list