On Sat, Apr 29, 2006 at 05:07:16PM +0000, Christos Zoulas wrote:
> In article <20060429042321.GA19658@azeotrope.org>,  <khym@azeotrope.org> wrote:
> What is net.inet.ipsec.dfbit? If it is not 2, try 2.

It's 2... setting it to 0 doesn't change anything, setting it to 1 causes
the tunnel endpoint to return ICMP frag needed to the machine sending the
echo requests.

After further twiddling, it seems that pf is blocking the fragmented ESP
packets for some reason. If I turn off pf, it works (with dfbit set to 2).
However, I turned pf back on, and it still works. Very bizarre :(