PMTU (must fragment) with ipsec [Was: Re: ipsec routing issue]
Harald Schmalzbauer
h.schmalzbauer at omnilan.de
Thu Jan 15 09:07:19 UTC 2015
Bezüglich Mark Felder's Nachricht vom 14.01.2015 22:12 (localtime):
…
>> My last attempt was adding disc(4), assign it a MTU of 1420 and add a
>> static route which points to disc.
>> That works for 'route get remotelan' on the router itself, it's
>> reporting correctly the mtu of 1420, but nevertheless, the router never
>> returns "must fragment" (which I'd need because FreeBSD has PMTU on and
>> we use jumbo frames).
>> Apperently fragementation is handled before packets arrive at the
>> outgoing interface. Of course, kernel policy "steals" the packet before
>> ot reaches "outgoing" state.
>> Do I miss any trick?
>>
> You can apply an MTU to a route instead of an interface, so perhaps that
> would work better? Just add -mtu 1420 at the end of your route statement
> and it will work its magic. :-)
Thanks for the hint!
But essentially the same happens for both types of MTU propagation.
The local routing table forces packet length for outgoing packets on the
router.
In the gif(4)-less IPSec-tunnel scenario, there is no "outgoing" packet
on the router.
So hosts which forward packets to the router will never receive a "must
fragement" icmp answer to packets larger than the MTU set on the router.
I had to set the MTU on every single client in the lan… Not what I'm
looking for, I'd like to get my router informing clients!
I still have no idea how to accomplish :-(
Thanks for further hints in advance,
-Harry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150115/c486ada1/attachment.sig>
More information about the freebsd-stable
mailing list