[Openswan Users] NETKEY vs KLIPS on a 2.6 kernel

Herbert Xu herbert at gondor.apana.org.au
Sat Jun 11 09:58:42 CEST 2005

Paul Wouters <paul at xelerance.com> wrote:
> That is not correct. One of the biggest problems of NETKEY is that it does
> not support path mtu discovery, which breaks 90% of the setups people want
> to do.

Not quite.  If anything the native stack supports PMTUD over IPsec
better compared to KLIPS.  The reason KLIPS currently works in more
setups is because it doesn't do PMTUD at all by default.  Instead it
always sends out packets with DF turned off so they're simply fragmented
by the routers along the way.

You can enable some sort of PMTU discovery in KLIPS by enabling
/proc/net/ipsec/icmp, but even that falls short of proper PMTU discovery
since it doesn't push the information back into the networking layer.

It should be fairly easy to add support to the native stack to disable
PMTUD for specific SAs or globally.

Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

More information about the Users mailing list