[Openswan Users] 2.4.5 klips mtu issue

Paul Wouters paul at xelerance.com
Mon Apr 10 17:43:33 CEST 2006

On Mon, 10 Apr 2006, Brian Candler wrote:

> In fact, even the attached tiny test program sends UDP packets with DF set
> if run under Linux. However if I run it under FreeBSD, the DF bit is not
> set.

Yes, it seems specific to linux.

> I know this isn't directly Openswan related, but why does Linux set the DF
> bit on UDP packets, and how can I stop it from doing so?

I am not sure. I know that changing /prox/sys/net/ipv4/ip_no_pmtu_disc does
not change the behaviour.

> If I can modify l2tpd so that it doesn't set DF, then maybe the problem with
> running it through Openswan for transport mode IPSEC will vanish. In any
> case this looks like a bug when using l2tp: there is no l2tp mechanism for
> reducing the "path MTU" in response to ICMP frag-needed, so packets which
> reach a lower-MTU gateway would just be blackholed.

You must always ensure there is no fragmentation for transport mode ipsec
packets. What seems to work best in our experience is to set the ethX mtu
of the ipsec gateway to about 1460, and the mtu/mru in options.l2tpd to
about 1200.

I believe Microsoft uses an mtu of 1400 for L2TP/IPsec packets. (eg the
inner packet mtu)


More information about the Users mailing list