[Openswan dev] Missing packet id on ESP packets breaks fragment
mcr at sandelman.ottawa.on.ca
Fri Jul 29 19:07:37 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Peter" == Peter Lenci <peterlenci at yahoo.ca> writes:
>> Well, two things: a) If you set DF, then you should not set the
Peter> Hmm... that is your opinion! There are extended threads just
Peter> about this subject (eg
Actually, I tend to disagree with the view, but it is correct
according to RFC. I do want to permit the outgoing packet to be
fragmented if necessary.
We have generally, created oversize ESP packets without DF set, and
permitted them to be fragmented. This violates RFC2003 (we would
fragment the ESP even if the inner packet had DF set), the occurance of
ICMP lossage means that this has been required.
We intend to become compliant to the new PMTU rules the the WG wrote
Peter> Could you please do me a favor and run the following tcpdump
Peter> command on your physical interface and tell me wether you get
Peter> any output when sending large ICMP echo packets through the
Peter> tunnel? Because if you do see anything then your setup is
Peter> broken too...
Yes, I will do this.
Can you tell me which kernel you are working with?
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
] I'm a dad: http://www.sandelman.ca/lrmr/ [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev