Date: Mon, 1 Jan 2007 09:40:22 GMT From: Eugene Grosbein <eugen@kuzbass.ru> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/103135: ipsec with ipfw divert (not NAT) encodes a packet twice breaking PMTUD Message-ID: <200701010940.l019eMu3040661@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/103135; it has been noted by GNATS. From: Eugene Grosbein <eugen@kuzbass.ru> To: bug-followup@freebsd.org Cc: julian@elischer.org Subject: Re: kern/103135: ipsec with ipfw divert (not NAT) encodes a packet twice breaking PMTUD Date: Mon, 01 Jan 2007 15:52:26 +0700 Hi! I've found that when DUMMYNET reinjects a packet to the stack to pass it over next ipfw rules, it is processed with IPSEC second time too. And it is encapsulated with ESP sencond time breaking PMTUD, again. I've found acceptable workaround: we need to say IPSEC code not to process already encapsulated packets: spdadd 1.1.1.1/32 2.2.2.2/32 esp -P out none; Sadly, setkey(8) parser has a bug preventing us from using this workaround. See http://www.freebsd.org/cgi/query-pr.cgi?pr=107392 for details and trivial patch against setkey. Eugene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701010940.l019eMu3040661>