Date: Mon, 23 Dec 2019 17:06:55 +0700 From: Victor Sudakov <vas@sibptus.ru> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: freebsd-net@freebsd.org Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <20191223100655.GA41651@admin.sibptus.ru> In-Reply-To: <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Andrey V. Elsukov wrote: > On 20.12.2019 19:22, Victor Sudakov wrote: > >> What's the root of the problem? ESP packets cannot get fragmented or > >> what?=20 > >=20 > > Wireshark has shown that the "Don't Fragment" flag is set on all ESP > > (protocol 50) packets. Who does this, why, and how can I switch it off > > globally? >=20 > Hi, >=20 > I think this DF flag is originally from TCP packet. You are probably right. I did not think of this. > ESP xform for transport mode just replaces protocol in IP header and > adds some info to the end of a packet. It is rather easy to verify your theory. If you are right, then disabling net.inet.tcp.path_mtu_discovery globally should remove the DF flags from the ESP packets too, right? Of course, net.inet.tcp.path_mtu_discovery=3D0 is not a solution, it's just a way to check the origin of the DF flag. And if you are right, what does it mean to us? Did you see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D242744 already ? My ultimate wish is to make transport mode work out of the box, without any workarounds like additional host routes or firewall rules. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJeAJG/AAoJEA2k8lmbXsY09eIH/1ks80UCQRMabR9sMOtovodu w+dk0HSX+sknioThIl6LllJdZ7a1EloHnIgWL1nltVUjMJtDU2cON8A+q5g+BEn7 BIxSX/giuELv2PdXrqOT6dZf2WCD+mPbMLTapXo2J2tXzvtuje4eDOvqkfgoTHtP 5TZrvsfoDJjviIzlJl08Gw3D5NWxxfNIVdL5adboaKNI54UYkvSJp2kpxCYKHb1G sM7OCf6F6BJHYrwzrSjVprKycNJTyWU4xSia4LJoujks28uXYhtWfjI+lJbOVJLv 00bzQKJjL19ga1ysLBkHUz5ToVWcGQKLBIilsd5+JlGFbVBCKaUGZ1/n68wO9lM= =BFmJ -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191223100655.GA41651>