Index: sys/netipsec/ipsec.c
===================================================================
--- sys/netipsec/ipsec.c	(revision 354348)
+++ sys/netipsec/ipsec.c	(working copy)
@@ -112,6 +112,8 @@
 
 /* DF bit on encap. 0: clear 1: set 2: copy */
 VNET_DEFINE(int, ip4_ipsec_dfbit) = 0;
+/* DF bit for transport mode 0: keep, 1: clear */
+VNET_DEFINE(int, ip4_ipsec_trans_cleardf) = 0;
 VNET_DEFINE(int, ip4_esp_trans_deflev) = IPSEC_LEVEL_USE;
 VNET_DEFINE(int, ip4_esp_net_deflev) = IPSEC_LEVEL_USE;
 VNET_DEFINE(int, ip4_ah_trans_deflev) = IPSEC_LEVEL_USE;
@@ -198,6 +200,9 @@
 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, ecn,
 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_ecn), 0,
 	"Explicit Congestion Notification handling.");
+SYSCTL_INT(_net_inet_ipsec, OID_AUTO, trans_cleardf,
+	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_trans_cleardf), 0,
+	"Clear do not fragment bit for outgoing transport mode packets.");
 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, crypto_support,
 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(crypto_support), 0,
 	"Crypto driver selection.");
Index: sys/netipsec/ipsec.h
===================================================================
--- sys/netipsec/ipsec.h	(revision 354348)
+++ sys/netipsec/ipsec.h	(working copy)
@@ -283,6 +283,7 @@
 VNET_DECLARE(int, ip4_ah_net_deflev);
 VNET_DECLARE(int, ip4_ipsec_dfbit);
 VNET_DECLARE(int, ip4_ipsec_ecn);
+VNET_DECLARE(int, ip4_ipsec_trans_cleardf);
 VNET_DECLARE(int, crypto_support);
 VNET_DECLARE(int, async_crypto);
 VNET_DECLARE(int, natt_cksum_policy);
@@ -297,6 +298,7 @@
 #define	V_ip4_ah_net_deflev	VNET(ip4_ah_net_deflev)
 #define	V_ip4_ipsec_dfbit	VNET(ip4_ipsec_dfbit)
 #define	V_ip4_ipsec_ecn		VNET(ip4_ipsec_ecn)
+#define	V_ip4_ipsec_trans_cleardf	VNET(ip4_ipsec_trans_cleardf)
 #define	V_crypto_support	VNET(crypto_support)
 #define	V_async_crypto		VNET(async_crypto)
 #define	V_natt_cksum_policy	VNET(natt_cksum_policy)
Index: sys/netipsec/ipsec_output.c
===================================================================
--- sys/netipsec/ipsec_output.c	(revision 354348)
+++ sys/netipsec/ipsec_output.c	(working copy)
@@ -240,6 +240,10 @@
 		}
 		inp = NULL;
 	}
+	else if (V_ip4_ipsec_trans_cleardf &&
+		 sp->req[idx]->saidx.mode == IPSEC_MODE_TRANSPORT) {
+		ip->ip_off &= htons(~IP_DF);
+	}
 
 	IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);
 	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)