[Openswan dev] IPv6 fragmentation for KLIPS vs NETKEY

Paul Wouters paul at xelerance.com
Mon Apr 25 14:48:38 EDT 2011

Hey David,

I see the following code in ipsec_xmit.c:

                 notify = nexthdr != IPPROTO_ICMP &&
                                 nexthdr != IPPROTO_ICMPV6;

                 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
                             "klips_debug:ipsec_xmit_init2: "
                             "fragmentation needed ; %sdropping packet\n",
                             notify ? "sending ICMP and " : "");
                 if (notify)

When testing IPv6 with ping6 -s 1400, KLIPS will drop the packet,
and not send an ICMP6 fragmentation needed packet, causing the ping to

Is there a (good) reason for this behaviour? If it is to avoid sending
icmps in responds to icmps, could we check for ICMP_DEST_UNREACH,
ICMP_FRAG_NEEDED? Or could we let ECHO response/reply through?

Despite that, I don't think that is the real issue here. We do see
frag needed packets, but on ipsecX, not ethX. And I don't think they
ever make it to the right place.

For reference, NETKEY fragments the ESP packet and the pings work fine.

More information about the Dev mailing list