From owner-freebsd-stable@FreeBSD.ORG Thu Nov 9 20:59:28 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C75816A407 for ; Thu, 9 Nov 2006 20:59:28 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk [195.188.213.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 298A643D5C for ; Thu, 9 Nov 2006 20:59:25 +0000 (GMT) (envelope-from tom@tomjudge.com) Received: from [172.23.170.136] (helo=anti-virus01-07) by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52) id 1GiGzZ-0006Xs-L8; Thu, 09 Nov 2006 20:59:21 +0000 Received: from [82.43.34.109] (helo=[192.168.0.2]) by asmtp-out3.blueyonder.co.uk with esmtp (Exim 4.52) id 1GiGzZ-0000aX-2H; Thu, 09 Nov 2006 20:59:21 +0000 Message-ID: <455397EE.7030305@tomjudge.com> Date: Thu, 09 Nov 2006 21:04:46 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.7 (X11/20060922) MIME-Version: 1.0 To: Johann Hugo References: <4550C4B6.7090306@tomjudge.com> <200611092041.23536.jhugo@icomtek.csir.co.za> In-Reply-To: <200611092041.23536.jhugo@icomtek.csir.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 6.1 IPsec Path MTU Discovery X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 20:59:28 -0000 Johann Hugo wrote: > On Tuesday 07 November 2006 19:39, Tom Judge wrote: > > I'm seeing the same problem on my gif tunnel. > > For an interim work around you can reduce the MTU size between Box1 and Box2 > e.g "route change Box2 -mtu 1200". After it's starts working you can change it > back to 1500 en it keeps on working. > > Don't ask me why it works, I'm still trying to figure out what the problem is. > > Johann I have a patch for the problem, it is related to a broken peice of code that is supposed to calculate the mtu using the size of the ip header and the size of the ipsec header. However when the ipsec security policy is fetched some required sections are null and the code block completely fails. The following patch fixes the problem for me as it allows the code to fall through to the standard mtu calculation using either the destination interface mtu or by calculating the next smallest rfc defined mtu. It would be interesting to see if this patch works for you, I have submitted it on the open pr but have not had a response yet. Tom J PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/91412 Patch: Index: sys/netinet/ip_input.c =================================================================== --- sys/netinet/ip_input.c (revision 24) +++ sys/netinet/ip_input.c (working copy) @@ -1990,8 +1990,8 @@ #else /* FAST_IPSEC */ KEY_FREESP(&sp); #endif - ipstat.ips_cantfrag++; - break; +// ipstat.ips_cantfrag++; +// break; } } #endif /*IPSEC || FAST_IPSEC*/