Subject: Re: packet loss? w/ 1.6[A-D] & IPSEC policy
To: None <>
From: Kimmo Suominen <>
List: current-users
Date: 07/23/2002 07:42:29
I don't think this is very likely, because it worked just fine before
the upgrade of NetBSD.  It would be quite a coincidence that someone
broke a router exactly at the same time.

Also, PMTUD works ok if IPsec is disabled.

The combination of PMTUD and IPsec (or PMTUD, IPsec and gif-tunnel) is
the problem.  Without IPsec you can also use PMTUD and gif just fine.

And all combinations worked before NetBSD 1.6A.

+ Kim

| From:
| Date:    Tue, 23 Jul 2002 13:48:39 +0900
| >> Yes, this could well be related to the ep driver issues discussed earlier.
| >
| >Well, it is not. I don't know what I was thinking/doing when I "checked"
| >that the problem was asymmetric. Here is the countdown of the facts:
| >
| >	- without IPSEC I can transfer bytes in both directions normally
| >	- with IPSEC enabled transfers to either direction fail for
| >	  bigger packets (one end has ep0, the other has ex0); ie. packets
| >	  that grow over MTU size due to IPSEC overhead
| >	- with IPSEC policies, but Path MTU Discovery disabled
| >	  (sysctl -w net.inet.ip.mtudisc=0) problems disappear
| >
| >So, my problem is solved. In case others have similar problems:
| >
| >	- is the above expected behavior?
| >	- how should I have learned about it in advance?
| >	- should it be documented better?
| 	i think, between your nodes, there's some router which is discarding
| 	icmp need fragment message (= generic PMTUD blackhole problem).
| itojun