freebsd stable - Jan 2015 - PMTU (must fragment) with ipsec [Was: Re: ipsec routing issue]

Bez?glich Dewayne Geraghty's Nachricht vom 30.12.2014 01:09
(localtime):
> Ari,
>
> Bjoern offers good advise (as usual).  This practical example might
Hello,

I'm quiet familar with ipsec(4), enc(1) and companions, but I haven't
found a way to make routers return ICMP "must fragment" with gif-less
tunnels.
My last attempt was adding disc(4), assign it a MTU of 1420 and add a
static route which points to disc.
That works for 'route get remotelan' on the router itself, it's
reporting correctly the mtu of 1420, but nevertheless, the router never
returns "must fragment" (which I'd need because FreeBSD has PMTU
on and
we use jumbo frames).
Apperently fragementation is handled before packets arrive at the
outgoing interface. Of course, kernel policy "steals" the packet
before
ot reaches "outgoing" state.
Do I miss any trick?

Thanks,

-Harry

On Mon, Jan 5, 2015, at 03:14, Harry Schmalzbauer wrote:
>  Bez?glich Dewayne Geraghty's Nachricht vom 30.12.2014 01:09
(localtime):
> > Ari,
> >
> > Bjoern offers good advise (as usual).  This practical example might
> 
> Hello,
> 
> I'm quiet familar with ipsec(4), enc(1) and companions, but I
haven't
> found a way to make routers return ICMP "must fragment" with
gif-less
> tunnels.
> My last attempt was adding disc(4), assign it a MTU of 1420 and add a
> static route which points to disc.
> That works for 'route get remotelan' on the router itself, it's
> reporting correctly the mtu of 1420, but nevertheless, the router never
> returns "must fragment" (which I'd need because FreeBSD has
PMTU on and
> we use jumbo frames).
> Apperently fragementation is handled before packets arrive at the
> outgoing interface. Of course, kernel policy "steals" the packet
before
> ot reaches "outgoing" state.
> Do I miss any trick?
>
You can apply an MTU to a route instead of an interface, so perhaps that
would work better? Just add -mtu 1420 at the end of your route statement
and it will work its magic. :-)