FAST_IPSEC not sending ICMP frag needed? (was Re: FAST_IPSEC(?) drops packets?)

To: tech-net%netbsd.org@localhost
Subject: FAST_IPSEC not sending ICMP frag needed? (was Re: FAST_IPSEC(?) drops packets?)
From: Dave Huang <khym%azeotrope.org@localhost>
Date: Sat, 26 Feb 2011 12:32:25 -0600

On 2/26/2011 6:36 AM, Matthias Drochner wrote:

So is the CANTFRAG number counting in "netstat -pip"?
Shouldn't the encapsulation code send NEEDFRAG ICMPs
then? Do you observe any? Perhaps this part doesn't
work correctly in FAST_IPSEC...

Yes, I do see "datagrams that can't be fragmented" increase in "netstat-pip". However, I don't see the router sending any ICMP fragmentationneeded packets back.

BTW, changing net.inet.ipsec.dfbit to 0 does work around the problem(but causes fragmentation).

References:
- FAST_IPSEC(?) drops packets?
  - From: Dave Huang
- Re: FAST_IPSEC(?) drops packets?
  - From: Dave Huang
- Re: FAST_IPSEC(?) drops packets?
  - From: Matthias Drochner

Prev by Date: Re: FAST_IPSEC(?) drops packets?
Next by Date: PF+IPv6 broken for me
Previous by Thread: Re: FAST_IPSEC(?) drops packets?
Next by Thread: PF+IPv6 broken for me
Indexes:

Home | Main Index | Thread Index | Old Index