[Openswan Users] PMTUD after ipsec

Paul Wouters paul at xelerance.com
Fri Jan 13 01:13:45 CET 2006

On Thu, 12 Jan 2006, Andy wrote:

> HostA -- sg1 --Internet-- sg2 --- router1 --- router2 --- HostB
> where sg1 and sg2 are IPsec peers with a policy that allows traffic
> to/from hosts A & B only, and the path from router1 to router2 has a
> smaller MTU than the other links.
> If Host A sends a large enough packet to host B with the DF bit set, it
> will be dropped by router1, which will generate an ICMP destination
> unreachable message, addressed to Host A but with router1 as its source
> address (normal PMTUD stuff). But this message will not match the tunnel
> policy so will never reach HostA...
> Options:

A third option is to set the internal interface on sg2 with a smaller
mtu, so it will send the icmp unreachable messages. Provided that it
is allowed to send those those sg1.
You might also be able to set the mtu more specific using the advanced
routing (the ip command can set an mtu per route)


More information about the Users mailing list