On Sat, Apr 29, 2006 at 11:31:38AM +0100, Rui Paulo wrote:
> Aren't you exceeding the interface MTU ?
> AFAIK, -s 1419 + IPsec headers might exceed.

Perhaps so, but isn't that what fragmentation is for? I would've expected
it to fragment the packets instead of silently dropping them. I have
the net.inet.ipsec.dfbit sysctl set to 2 on the tunnel endpoint (which
I think fixed some other problem, but I forget what now); when I change
it to 1 (the default, IIRC), it sends back ICMP fragmentation needed
and DF set. However, the echo request packets don't have DF set...