Continuing from misc@:
I have two different gateway machines, one with em(4), one with igc(4)
that exhibit the problem.
With an iked.conf policy like this:
ikev2 "foo" esp \
from 192.168.5.0/24 to dynamic \
[...] \
peer any \
[...]
where 192.168.5.1 is an address on the gateway itself and the default
route is on pppoe0 upon vlan7 upon em0/igc0. TCP MSS is clamped in
pf.conf for the IPSec tunnel:
match on enc0 all scrub (max-mss 1228)
This works as expected for any machine on the 192.168.5.0/24 network.
However, TCP connections to 192.168.5.1 will receive huge return packets
that get fragmented over pppoe0.
Setting net.inet.tcp.tso=0 restores expected behaviour. So there is a
bug somewhere when making the decision to rely on TSO for TCP
segmentation.
