Index: net/if_bridge.c
===================================================================
RCS file: /cvs/src/sys/net/if_bridge.c,v
diff -u -p -r1.372 if_bridge.c
--- net/if_bridge.c	1 Sep 2024 03:09:00 -0000	1.372
+++ net/if_bridge.c	4 Feb 2025 08:41:07 -0000
@@ -1646,7 +1646,7 @@ bridge_ipsec(struct ifnet *ifp, struct e
 				    ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG);
 			} else {
 				KERNEL_LOCK();
-				error = ipsp_process_packet(m, tdb, af, 0);
+				error = ipsp_process_packet(m, tdb, af, 0, -1);
 				KERNEL_UNLOCK();
 			}
 			tdb_unref(tdb);
Index: net/if_sec.c
===================================================================
RCS file: /cvs/src/sys/net/if_sec.c,v
diff -u -p -r1.11 if_sec.c
--- net/if_sec.c	19 Mar 2024 03:49:11 -0000	1.11
+++ net/if_sec.c	4 Feb 2025 08:41:07 -0000
@@ -73,6 +73,7 @@ struct sec_softc {
 
 	struct task			sc_send;
 	int				sc_txprio;
+	int				sc_tunneldf;
 
 	unsigned int			sc_unit;
 	SMR_SLIST_ENTRY(sec_softc)	sc_entry;
@@ -127,6 +128,7 @@ sec_clone_create(struct if_clone *ifc, i
 	sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO);
 
 	sc->sc_unit = unit;
+	sc->sc_tunneldf = 0;
 
 	task_set(&sc->sc_send, sec_send, sc);
 
@@ -213,6 +215,13 @@ sec_ioctl(struct ifnet *ifp, u_long cmd,
 		ifp->if_mtu = ifr->ifr_mtu;
 		break;
 
+	case SIOCSLIFPHYDF:
+                sc->sc_tunneldf = !!ifr->ifr_df;
+                break;
+        case SIOCGLIFPHYDF:
+                ifr->ifr_df = sc->sc_tunneldf;
+                break;
+
 	default:
 		error = ENOTTY;
 		break;
@@ -391,7 +400,8 @@ sec_send(void *arg)
 		m->m_pkthdr.ph_flowid = flowid;
 
 		error = ipsp_process_packet(m, tdb,
-		    m->m_pkthdr.ph_family, /* already tunnelled? */ 0);
+		    m->m_pkthdr.ph_family, /* already tunnelled? */ 0,
+		    sc->sc_tunneldf);
 		if (error != 0)
 			counters_inc(ifp->if_counters, ifc_oerrors);
 	}
Index: netinet/ip_ipsp.h
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v
diff -u -p -r1.246 ip_ipsp.h
--- netinet/ip_ipsp.h	1 Jan 2025 13:44:22 -0000	1.246
+++ netinet/ip_ipsp.h	4 Feb 2025 08:41:07 -0000
@@ -675,7 +675,7 @@ int	tcp_signature_tdb_output(struct mbuf
 int	checkreplaywindow(struct tdb *, u_int64_t, u_int32_t, u_int32_t *, int);
 
 /* Packet processing */
-int	ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
+int	ipsp_process_packet(struct mbuf *, struct tdb *, int, int, int);
 int	ipsp_process_done(struct mbuf *, struct tdb *);
 int	ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *,
 	    const struct ipsec_level *, struct tdb **, struct ipsec_ids *);
Index: netinet/ip_output.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_output.c,v
diff -u -p -r1.402 ip_output.c
--- netinet/ip_output.c	3 Jan 2025 21:27:40 -0000	1.402
+++ netinet/ip_output.c	4 Feb 2025 08:41:07 -0000
@@ -653,7 +653,7 @@ ip_output_ipsec_send(struct tdb *tdb, st
 	KERNEL_LOCK();
 	while ((m = ml_dequeue(&ml)) != NULL) {
 		/* Callee frees mbuf */
-		error = ipsp_process_packet(m, tdb, AF_INET, 0);
+		error = ipsp_process_packet(m, tdb, AF_INET, 0, -1);
 		if (error)
 			break;
 	}
Index: netinet/ipsec_output.c
===================================================================
RCS file: /cvs/src/sys/netinet/ipsec_output.c,v
diff -u -p -r1.99 ipsec_output.c
--- netinet/ipsec_output.c	27 Dec 2024 10:15:09 -0000	1.99
+++ netinet/ipsec_output.c	4 Feb 2025 08:41:07 -0000
@@ -71,7 +71,8 @@ int	udpencap_port = 4500;	/* triggers de
  * place.
  */
 int
-ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready)
+ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready,
+    int setdf)
 {
 	int hlen, off, error;
 #ifdef INET6
@@ -80,7 +81,6 @@ ipsp_process_packet(struct mbuf *m, stru
 	int dstopt = 0;
 #endif
 
-	int setdf = 0;
 	struct ip *ip;
 #ifdef INET6
 	struct ip6_hdr *ip6;
@@ -190,7 +190,8 @@ ipsp_process_packet(struct mbuf *m, stru
 				 * This is not a bridge packet, remember if we
 				 * had IP_DF.
 				 */
-				setdf = ip->ip_off & htons(IP_DF);
+				if (setdf == -1)
+					setdf = ip->ip_off & htons(IP_DF);
 			}
 
 #ifdef INET6
@@ -257,7 +258,8 @@ ipsp_process_packet(struct mbuf *m, stru
 			if (error)
 				goto drop;
 
-			if (tdb->tdb_dst.sa.sa_family == AF_INET && setdf) {
+			if (tdb->tdb_dst.sa.sa_family == AF_INET &&
+			    setdf == 1) {
 				if (m->m_len < sizeof(struct ip))
 					if ((m = m_pullup(m,
 					    sizeof(struct ip))) == NULL) {
@@ -516,7 +518,7 @@ ipsp_process_done(struct mbuf *m, struct
 	if (tdbo != NULL) {
 		KERNEL_ASSERT_LOCKED();
 		error = ipsp_process_packet(m, tdbo,
-		    tdb->tdb_dst.sa.sa_family, 0);
+		    tdb->tdb_dst.sa.sa_family, 0, -1);
 		tdb_unref(tdbo);
 		return error;
 	}
Index: netinet6/ip6_output.c
===================================================================
RCS file: /cvs/src/sys/netinet6/ip6_output.c,v
diff -u -p -r1.294 ip6_output.c
--- netinet6/ip6_output.c	3 Jan 2025 21:27:40 -0000	1.294
+++ netinet6/ip6_output.c	4 Feb 2025 08:41:07 -0000
@@ -2910,7 +2910,7 @@ ip6_output_ipsec_send(struct tdb *tdb, s
 	KERNEL_LOCK();
 	while ((m = ml_dequeue(&ml)) != NULL) {
 		/* Callee frees mbuf */
-		error = ipsp_process_packet(m, tdb, AF_INET6, tunalready);
+		error = ipsp_process_packet(m, tdb, AF_INET6, tunalready, -1);
 		if (error)
 			break;
 	}