[Openswan Users] 2.4.5 klips mtu issue

Brian Candler B.Candler at pobox.com
Mon Apr 10 16:01:21 CEST 2006

On Fri, Apr 07, 2006 at 07:06:21PM +0200, Paul Wouters wrote:
> We are trying to build a testcase that reproduces this behaviour.

I've been trying to get to the bottom of why the DF bit is set in the first
place. If I run l2tpd without IPSEC, the outbound packets still have DF set.
In fact, even the attached tiny test program sends UDP packets with DF set
if run under Linux. However if I run it under FreeBSD, the DF bit is not

I know this isn't directly Openswan related, but why does Linux set the DF
bit on UDP packets, and how can I stop it from doing so?

If I can modify l2tpd so that it doesn't set DF, then maybe the problem with
running it through Openswan for transport mode IPSEC will vanish. In any
case this looks like a bug when using l2tp: there is no l2tp mechanism for
reducing the "path MTU" in response to ICMP frag-needed, so packets which
reach a lower-MTU gateway would just be blackholed.



----------- 8< ------------------------------------------------------------
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(void)
    int s;
    char buf[] = "abc";
    int buflen = 3;
    struct in_addr t;
    struct sockaddr_in to;
    if ((s = socket (PF_INET, SOCK_DGRAM, 0)) < 0) {

    to.sin_family = AF_INET;
    t.s_addr = htonl(0x01020304);
    memcpy(&to.sin_addr, &t.s_addr, 4);
    to.sin_port = htons(9999);

    sendto (s, buf, buflen, 0,
            (struct sockaddr *) &to, sizeof (to));

    return 0;

More information about the Users mailing list