[Openswan Users] 2.4.5 klips mtu issue

Brian Candler B.Candler at pobox.com
Mon Apr 10 17:22:48 CEST 2006

On Mon, Apr 10, 2006 at 04:44:58PM +0200, Paul Wouters wrote:
> > OK, I can do
> >
> > # echo "1" > /proc/sys/net/ipv4/ip_no_pmtu_disc
> >
> > and the problem goes away; l2tpd+Openswan 2.4.5 can happily talk to Cisco
> > IOS.
> Does it still set the DF bit? That is what we believed happened in our
> tests. Perhaps we need to redo our tests.....

The DF bit is clear, seen using tcpdump on both 2.4.30 and 2.6.9. I think it
would be a good idea to do your tests again - I'll try to replicate them
here, if they're different to mine.

I take your point about it being best to avoid fragmentation of IPSEC
packets by controlling LCP/IPCP MTU, although when it was failing I wasn't
getting that far.

(I'm not quite sure why fragments are a major problem for transport mode
though. I would have thought that the IP stack would first assemble the
fragments at the endpoint host, and then apply IPSEC processing to the
complete packet - is that not what happens?)



More information about the Users mailing list