Date: Mon, 9 Jan 2006 23:42:57 +0100 From: Jeremie Le Hen <jeremie@le-hen.org> To: nielsen@memberwebs.com Cc: freebsd-net@freebsd.org Subject: Re: [fbsd] Problem with PMTU Discovery / DF / IPSEC / GIF Tunnels (FreeBSD 6.0 patch) Message-ID: <20060109224257.GX90495@obiwan.tataz.chchile.org> In-Reply-To: <20060104181309.8C756DCA990@mail.npubs.com> References: <20060104181309.8C756DCA990@mail.npubs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Nate, > I encountered a strange problem with PMTU discovery not working properly > on various machines when the packets were tunneled over a GIF / IPSEC > Transport type tunnel (both ends running FreeBSD 6.0). Configuration > files attached. > > Various older FreeBSD systems (it seemed systems that had jails running) > and also Windows Virtual Machines running in Microsoft's Virtual Server > 2005 system, did not perform PMTU discovery properly. > > The FreeBSD 6.0 routers were sending out ICMP host-unreachable > need-fragment packets without an MTU hint. Most machines handle this > fine, but the ones noted above did not decrease PMTU for the connection. > > The attached patch makes sure that the FreeBSD 6.0 router will include > an MTU hint in the ICMP packet. The problem was caused by the IPSec > lookup in ip_forward() returning an secpolicy pointer, but then that > pointer having no details (such as request, etc...) contained in it. The > attached patch (against 6.0) covers that eventuality. > > The 'bug' is obviously in the machines that don't handle the missing MTU > hint properly, but since we can't patch Windows, this patch helps > alleviate the problem from the other side. Thank you for fixing this ! I have been puzzled for month with this. I hope to see it commited soon. Best regards. -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060109224257.GX90495>