[Openswan Users] DF flag on ESP packets

Marc H. Thoben chojin at gmx.net
Mon Oct 11 04:28:03 CEST 2004

Hi Herbert,

On 11th of October 2004 at  7:26:32, Herbert Xu wrote:
> Marc H. Thoben <chojin at gmx.net> wrote:
> > 
> > I'd like to know, if, when using the kernel's ipsec implementation, the 
> > DF flag is set on all ESP packets and whether the DF flag is set by the 
> > kernel or openswan.
> The DF bit is inherited from the inner packet.

thanks for replying.

So, from my naive point of view, am I correct, that the kernel
modules I have loaded envelope the packets going through a ipsec
tunnel in ESP packets ?

See, I have a problem with some friends running a ssh-session
through the ipsec tunnel they have established to a computer with a
10mbit line, which is using the ipsec implementation of the kernel.
That computer was using the ipsec-device of freeswan up until a few
days. Everything worked, until I upgraded that machine to

I tcpdumped a lot and since all those friends are using dsl lines to
connect to the internet, I came a point realizing, that the DF flag
is the killing factor, because the 10mbit machine has a mtu of 1500
and the dsl users have 1460 or 1492, depending on their provider.
Synchronizing all mtus is not an option.

Using the ipsec-device of free-/openswan the created ESP packets do
not inherit the DF from the inner packets, and it is working never
the less...(?!)

Do you know of a way to prevent the ESP packets to inherit that flag ?

Best regards,

More information about the Users mailing list