khym@azeotrope.org writes:

> I have a NetBSD/i386 machine running a kernel from late November 2005
> (version 3.99.11) as one end of an IPsec tunnel (the other end is Linux,
> but I don't think that matters). It works great except for one thing...
> it doesn't seem to pass large packets. ping -s 1418 works, but
> ping -s 1419 doesn't.. If I run tcpdump on the NetBSD
> end of the tunnel endpoint and watch the unencrypted side when I do a
> ping -s 1419, I see:
>
> 23:17:13.218441 IP 10.1.1.73 > 10.2.1.20: icmp 1427: echo request seq 0
> 23:17:14.220058 IP 10.1.1.73 > 10.2.1.20: icmp 1427: echo request seq 1
> 23:17:15.220100 IP 10.1.1.73 > 10.2.1.20: icmp 1427: echo request seq 2
> 23:17:16.220159 IP 10.1.1.73 > 10.2.1.20: icmp 1427: echo request seq 3
>
> However, if I watch the external interface, I don't see any ESP packets
> at all. If I repeat the same thing with ping -s 1418, I get the expected
> result: echo requests get encrypted, and I see the ESP packets go out.
>
> Anyone know what the problem might be?

Aren't you exceeding the interface MTU ?
AFAIK, -s 1419 + IPsec headers might exceed.

-- 
  Rui Paulo			<rpaulo@{NetBSD{,-PT}.org,fnop.net}>