Hi,

See PR kern/25658.

Before submitting the above PR, I consulted google on the merits of the 
default behaviour of always clearing the DF bit when encapsulating IPv4 
in an IPsec tunnel (resulting in PMTU discovery lossage).

There seems to be some wisdom that the default is "safer" in that an 
unfriendly router between two tunnel endpoints could return "ICMP need 
frag" and so reduce the PMTU to some unreasonable value. (Since the 
ICMP is returned out of band with respect to the tunnel).

Can anyone clarify this situation? Is there a real good reason why 
NetBSD's IPsec implemention should default to breaking PMTU for IPsec 
tunnels?

Cheers, Steve