>> Yes, this could well be related to the ep driver issues discussed earlier.
>
>Well, it is not. I don't know what I was thinking/doing when I "checked"
>that the problem was asymmetric. Here is the countdown of the facts:
>
>	- without IPSEC I can transfer bytes in both directions normally
>	- with IPSEC enabled transfers to either direction fail for
>	  bigger packets (one end has ep0, the other has ex0); ie. packets
>	  that grow over MTU size due to IPSEC overhead
>	- with IPSEC policies, but Path MTU Discovery disabled
>	  (sysctl -w net.inet.ip.mtudisc=0) problems disappear
>
>So, my problem is solved. In case others have similar problems:
>
>	- is the above expected behavior?
>	- how should I have learned about it in advance?
>	- should it be documented better?

	i think, between your nodes, there's some router which is discarding
	icmp need fragment message (= generic PMTUD blackhole problem).

itojun