[Openswan Users] PMTUD after ipsec

Andy fs at globalnetit.com
Thu Jan 12 02:48:12 CET 2006

I'm sure this must be a well-discussed topic, but I can't find any
references to it.

I'd be interested to hear how others have solved this - 

Consider a network path from hostA to hostB with part of the path inside
an IPsec tunnel:

HostA -- sg1 --Internet-- sg2 --- router1 --- router2 --- HostB

where sg1 and sg2 are IPsec peers with a policy that allows traffic
to/from hosts A & B only, and the path from router1 to router2 has a
smaller MTU than the other links.

If Host A sends a large enough packet to host B with the DF bit set, it
will be dropped by router1, which will generate an ICMP destination
unreachable message, addressed to Host A but with router1 as its source
address (normal PMTUD stuff). But this message will not match the tunnel
policy so will never reach HostA...


 - We could add additional tunnels to allow the ICMP to get through. But
that may not be acceptable if the administrative policy restricts HostA
to only access HostB. And with even a moderately complex network that
could need lots of such tunnels.

 - Mess with MTU settings at various points to try to make sure no PMTUD
messages are ever triggered. Not easy even if you control everything -
in the case I'm working on I have no control over hostA & sg1. Again, it
gets exponentially harder as the network grows.

 - I wonder if there's some way to make sg2 pass back the ICMP message
even though it's not permitted by the tunnel policy. Can passthrough be
used for that?

 - SNAT the ICMP at sg2 so it'll match the policy. I really hope it's
not necessary to do anything that nasty. Besides, SNAT & IPsec has its
own set of problems, certainly when using NETKEY, although I hear
rumours that'll be fixed soon.

 - What works for me is to use the TCPMSS hack in iptables on sg2 (which
is the Openswan box in this case). That's OK for TCP. But it won't help
if we need to do anything other than TCP here. (Also it really IS a
hack. I note that the iptables manpage says that the TCPMSS target is
intended to be used to fix "criminally braindead" hosts/routers that
don't do PMTUD properly. I hate to think anything I design can be so

Any other thoughts, anyone?

Andy <fs at globalnetit.com>

More information about the Users mailing list