[Openswan Users] ipsec0: MTU of 16260

[Graham Leggett]

Paul Wouters wrote:

>>Ah, but I don't want to play around with the MTU.

> Then don't :)

I'm not changing the MTU because I want to, but because changing the MTU 
changes the VPN from "not working" to "working". I now need to find and 
solve whatever problem is creating the need to change the MTU, thus the 
question.

>>For reasons not known, the MTU as created by openswan on the ipsec 
>>device is set to a number which doesn't work for some reason 

> How do you know? It is a virtual interface. Do not change that mtu, change
> it of the underlying physical device.

Because I see it to be so in front of me :)

If the MTU of ipsec0 is 16260, the VPN does not work. If the MTU of 
ipsec0 is 1400, the VPN works. Connections _not_ using the VPN always 
work, because the MTU has already been dropped from the default of 1492 
to it's current value of 1466.

I suspect the ISP is breaking IP fragmentation, but I need to go to the 
ISP with solid facts (as in "mr ISP, you're doing this, and it's broken" 
rather than "mr ISP, you might be doing this, and feel free to blame it 
on something else and so pretend the issue does not exist"), thus my 
question here.

Will broken IP fragmentation underlying the physical network cause 
broken fragmentation inside VPN packets? In other words is the 
fragmentation of the packet something encrypted and stored in the VPN's 
private payload, or is the fragmentation done at the UDP layer for the 
world to see? I just need to get my facts straight before battling the ISP.

Regards,
Graham
--