From owner-freebsd-stable@FreeBSD.ORG  Thu Nov  9 18:41:35 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1740D16A47C
	for <freebsd-stable@freebsd.org>; Thu,  9 Nov 2006 18:41:35 +0000 (UTC)
	(envelope-from jhugo@icomtek.csir.co.za)
Received: from marge.meraka.csir.co.za (marge.meraka.csir.co.za [146.64.28.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 82AC943D53
	for <freebsd-stable@freebsd.org>; Thu,  9 Nov 2006 18:41:29 +0000 (GMT)
	(envelope-from jhugo@icomtek.csir.co.za)
Received: from [2001:4200:7000:3:211:43ff:feba:aff1] (unknown
	[IPv6:2001:4200:7000:3:211:43ff:feba:aff1])
	by marge.meraka.csir.co.za (Postfix) with ESMTP id B2BE08FC49
	for <freebsd-stable@freebsd.org>; Thu,  9 Nov 2006 20:41:24 +0200 (SAST)
From: Johann Hugo <jhugo@icomtek.csir.co.za>
To: freebsd-stable@freebsd.org
Date: Thu, 9 Nov 2006 20:41:23 +0200
User-Agent: KMail/1.8
References: <4550C4B6.7090306@tomjudge.com>
In-Reply-To: <4550C4B6.7090306@tomjudge.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <200611092041.23536.jhugo@icomtek.csir.co.za>
Subject: Re: FreeBSD 6.1 IPsec Path MTU Discovery
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2006 18:41:35 -0000

On Tuesday 07 November 2006 19:39, Tom Judge wrote:
> Hi,
>
> I am seeing some problems with some problems with IPsec encrypted gif
> tunnels and path mtu discovery.
>
> It seems that the router with the IPsec tunnel sends an ICMP need to
> frag packet with the next hop mtu set to 0. This causes ssh to
> retransmit a the same packet without reducing the size of the data payload.
>
> Is this a know problem? If so are there any know work arounds?

I'm seeing the same problem on my gif tunnel.

For an interim work around you can reduce the MTU size between Box1 and Box2 
e.g "route change Box2 -mtu 1200". After it's starts working you can change it 
back to 1500 en it keeps on working. 
 
Don't ask me why it works, I'm still trying to figure out what the problem is.

Johann