[Openswan Users] MTU/DF problem with 2.6
Beschorner Daniel
Daniel.Beschorner at facton.com
Mon Feb 13 22:30:55 CET 2006
>> On Mon, 2006-02-13 at 16:11 +0100, Beschorner Daniel wrote:
>> We have an IPSEC scenario with peer MTUs of 1500 and 1492.
>> Packets with a MTU of 1500 bytes sent from the tunnel router to the 1492
>> peer won't reach their destination, a destination-unreachable message is
>> generated und shown in the senders kernel log ("pmtu discovery on SA
>> ESP...").
>> But unfortunately this information never reaches the sender inside the
>> tunnel.
>>
>> So my question is: KLIPS (2.4) sends the ESP packets always without the
DF
>> flag, so they reach their destination, even though fragmented.
>>
>> Can I force the 2.6 kernel implementation to also clear the DF flag
always?
>>
> A brute-force answer:
> "echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc"
> will turn off pmtud for all packets (not just esp), I believe.
It's a pity, PMTUD is working well and very useful for non-ESP traffic.
More information about the Users
mailing list