I don't think this is very likely, because it worked just fine before
the upgrade of NetBSD.  It would be quite a coincidence that someone
broke a router exactly at the same time.

Also, PMTUD works ok if IPsec is disabled.

The combination of PMTUD and IPsec (or PMTUD, IPsec and gif-tunnel) is
the problem.  Without IPsec you can also use PMTUD and gif just fine.

And all combinations worked before NetBSD 1.6A.

+ Kim


| From:    itojun@iijlab.net
| Date:    Tue, 23 Jul 2002 13:48:39 +0900
|
| >> Yes, this could well be related to the ep driver issues discussed earlier.
| >
| >Well, it is not. I don't know what I was thinking/doing when I "checked"
| >that the problem was asymmetric. Here is the countdown of the facts:
| >
| >	- without IPSEC I can transfer bytes in both directions normally
| >	- with IPSEC enabled transfers to either direction fail for
| >	  bigger packets (one end has ep0, the other has ex0); ie. packets
| >	  that grow over MTU size due to IPSEC overhead
| >	- with IPSEC policies, but Path MTU Discovery disabled
| >	  (sysctl -w net.inet.ip.mtudisc=0) problems disappear
| >
| >So, my problem is solved. In case others have similar problems:
| >
| >	- is the above expected behavior?
| >	- how should I have learned about it in advance?
| >	- should it be documented better?
|
| 	i think, between your nodes, there's some router which is discarding
| 	icmp need fragment message (= generic PMTUD blackhole problem).
|
| itojun
|