https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242744
--- Comment #5 from Victor Sudakov <v...@sibptus.ru> --- (In reply to Eugene Grosbein from comment #4) > First, one can use IPSec transport mode combined with gif tunnel and mtu=1500 > for the gif. The solution with gif or if_ipsec tunnels is not scalable if you want to create a mesh of hosts with protected traffic between them. If we are talking about not more than 2-3 hosts, then the if_ipsec solution is the most elegant. > Second, one can try sysctl net.inet.ipsec.dfbit=0 that is documented in > ipsec(4) manual page for IPSec tunnel mode > but maybe it works for transport mode, too I wrote in the initial problem description that this sysctl does not work for transport mode. You just did not pay attention. > Third, you can adjust TCP MSS by means of packet filters. I don't think I can if the packet in question is not received or transmitted via any interface (like locally generated ssh-client traffic intercepted by IPSec policies). Or I'll try if you provide an example of matching such a packet. I also tried pf's "scrub out proto 50 no-df" but there was no match. In a FreeBSD - Windows 7 combination, this kind of transport mode works transparently out of the box. I think Windows knows to adjust MSS, or something. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
