Subject: IPsec tunnel doesn't pass large packets
To: None <>
From: None <>
List: current-users
Date: 04/28/2006 23:23:23
I have a NetBSD/i386 machine running a kernel from late November 2005
(version 3.99.11) as one end of an IPsec tunnel (the other end is Linux,
but I don't think that matters). It works great except for one thing...
it doesn't seem to pass large packets. ping -s 1418 works, but
ping -s 1419 doesn't.. If I run tcpdump on the NetBSD
end of the tunnel endpoint and watch the unencrypted side when I do a
ping -s 1419, I see:

23:17:13.218441 IP > icmp 1427: echo request seq 0
23:17:14.220058 IP > icmp 1427: echo request seq 1
23:17:15.220100 IP > icmp 1427: echo request seq 2
23:17:16.220159 IP > icmp 1427: echo request seq 3

However, if I watch the external interface, I don't see any ESP packets
at all. If I repeat the same thing with ping -s 1418, I get the expected
result: echo requests get encrypted, and I see the ESP packets go out.

Anyone know what the problem might be?