[Openswan Users] DF flag on ESP packets

Alexander Samad alex at samad.com.au
Mon Oct 11 13:12:53 CEST 2004 

On Mon, Oct 11, 2004 at 03:28:03AM +0200, Marc H. Thoben wrote:
> Hi Herbert,
> 
> On 11th of October 2004 at  7:26:32, Herbert Xu wrote:
> > Marc H. Thoben <chojin at gmx.net> wrote:
> > > 
> > > I'd like to know, if, when using the kernel's ipsec implementation, the 
> > > DF flag is set on all ESP packets and whether the DF flag is set by the 
> > > kernel or openswan.
> > 
> > The DF bit is inherited from the inner packet.
> 
> thanks for replying.
> 
> So, from my naive point of view, am I correct, that the kernel
> modules I have loaded envelope the packets going through a ipsec
> tunnel in ESP packets ?
> 
> 
> See, I have a problem with some friends running a ssh-session
> through the ipsec tunnel they have established to a computer with a
> 10mbit line, which is using the ipsec implementation of the kernel.
> That computer was using the ipsec-device of freeswan up until a few
> days. Everything worked, until I upgraded that machine to
> sarge/openswan/kernel-ipsec.
> 
> I tcpdumped a lot and since all those friends are using dsl lines to
> connect to the internet, I came a point realizing, that the DF flag
> is the killing factor, because the 10mbit machine has a mtu of 1500
> and the dsl users have 1460 or 1492, depending on their provider.
> Synchronizing all mtus is not an option.
> 
> Using the ipsec-device of free-/openswan the created ESP packets do
> not inherit the DF from the inner packets, and it is working never
> the less...(?!)
> 
> 
> Do you know of a way to prevent the ESP packets to inherit that flag ?

why not set the mtu for the route with ip 


> 
> -- 
> Best regards,
>   Marc
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20041011/dc5d68ae/attachment.bin

More information about the Users mailing list