[fbsd] Problem with PMTU Discovery / DF / IPSEC / GIF Tunnels (FreeBSD 6.0 patch)

[Jeremie Le Hen]

Hi, Nate,

> I encountered a strange problem with PMTU discovery not working properly
> on various machines when the packets were tunneled over a GIF / IPSEC
> Transport type tunnel (both ends running FreeBSD 6.0). Configuration
> files attached.
> 
> Various older FreeBSD systems (it seemed systems that had jails running)
> and also Windows Virtual Machines running in Microsoft's Virtual Server
> 2005 system, did not perform PMTU discovery properly.
> 
> The FreeBSD 6.0 routers were sending out ICMP host-unreachable
> need-fragment packets without an MTU hint. Most machines handle this
> fine, but the ones noted above did not decrease PMTU for the connection.
> 
> The attached patch makes sure that the FreeBSD 6.0 router will include
> an MTU hint in the ICMP packet. The problem was caused by the IPSec
> lookup in ip_forward() returning an secpolicy pointer, but then that
> pointer having no details (such as request, etc...) contained in it. The
> attached patch (against 6.0) covers that eventuality.
> 
> The 'bug' is obviously in the machines that don't handle the missing MTU
> hint properly, but since we can't patch Windows, this patch helps
> alleviate the problem from the other side.

Thank you for fixing this !  I have been puzzled for month with this.

I hope to see it commited soon.

Best regards.
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >