[Openswan Users] DF flag on ESP packets
Marc H. Thoben
chojin at gmx.net
Mon Oct 11 04:28:03 CEST 2004
Hi Herbert,
On 11th of October 2004 at 7:26:32, Herbert Xu wrote:
> Marc H. Thoben <chojin at gmx.net> wrote:
> >
> > I'd like to know, if, when using the kernel's ipsec implementation, the
> > DF flag is set on all ESP packets and whether the DF flag is set by the
> > kernel or openswan.
>
> The DF bit is inherited from the inner packet.
thanks for replying.
So, from my naive point of view, am I correct, that the kernel
modules I have loaded envelope the packets going through a ipsec
tunnel in ESP packets ?
See, I have a problem with some friends running a ssh-session
through the ipsec tunnel they have established to a computer with a
10mbit line, which is using the ipsec implementation of the kernel.
That computer was using the ipsec-device of freeswan up until a few
days. Everything worked, until I upgraded that machine to
sarge/openswan/kernel-ipsec.
I tcpdumped a lot and since all those friends are using dsl lines to
connect to the internet, I came a point realizing, that the DF flag
is the killing factor, because the 10mbit machine has a mtu of 1500
and the dsl users have 1460 or 1492, depending on their provider.
Synchronizing all mtus is not an option.
Using the ipsec-device of free-/openswan the created ESP packets do
not inherit the DF from the inner packets, and it is working never
the less...(?!)
Do you know of a way to prevent the ESP packets to inherit that flag ?
--
Best regards,
Marc
More information about the Users
mailing list