After running into some issues with VTI code (see my VTI patches) I decided to take a peek at the xfrmi code. I believe it has the same problems as the VTI code for which I submitted patches.
I was planning on testing this with latest kernel but so far I've not yet been able to do so... Only reason why I'm already submitting this message is because there is a 'Linux IPsec workshop' next week. Two issues that I believe exist: - 'xfrmi_xmit2': for an IPv4 packet the DF bit is not checked --> it will send a 'ICMP_FRAG_NEEDED' in response to a packet that is too big but does not have the 'DF' bit set. I believe proper behavior is to fragment the packet See also: [PATCH ipsec/vti 1/2] vti: fragment IPv4 packets when DF bit is not - 'xfrmi6_err': this is not able to handle a ICMPv6 in response to a fragmented IPv6 ESP packet. It uses iph->nexthdr which will be set to 'NEXTHDR_FRAGMENT' which is unhand led in the code. (It expects IPPROTO_ESP/_AH/_COMP) See also: [PATCH ipsec/vti 2/2] vti6: process icmp msg when IPv6 is fragmented
