[Openswan Users] PMTUD after ipsec

Andy fs at globalnetit.com
Fri Jan 13 02:56:13 CET 2006

On Fri, 2006-01-13 at 01:13 +0100, Paul Wouters wrote:
> On Thu, 12 Jan 2006, Andy wrote:
> > HostA -- sg1 --Internet-- sg2 --- router1 --- router2 --- HostB
> >
> > where sg1 and sg2 are IPsec peers with a policy that allows traffic
> > to/from hosts A & B only, and the path from router1 to router2 has a
> > smaller MTU than the other links.
> >
> > If Host A sends a large enough packet to host B with the DF bit set, it
> > will be dropped by router1, which will generate an ICMP destination
> > unreachable message, addressed to Host A but with router1 as its source
> > address (normal PMTUD stuff). But this message will not match the tunnel
> > policy so will never reach HostA...
> >
> > Options:
> A third option is to set the internal interface on sg2 with a smaller
> mtu, so it will send the icmp unreachable messages. Provided that it
> is allowed to send those those sg1.

I guess you mean "provided it is allowed to send them to sg1". But they
won't be going to sg1, they'll be addressed to HostA, won't they? And
no, I can't permit traffic to/from HostA (which I don't control and
don't trust) into my network core. I'm only willing to allow transit
traffic from there.

Thinking about that some more, I guess it depends whether the MTU check
is done before or after IPsec processing. I'd expect it would be done
afterwards, so the packet being checked would have HostA's source
address. But I will experiment with this.

> You might also be able to set the mtu more specific using the advanced
> routing (the ip command can set an mtu per route)

Indeed, and I've used custom updown scripts to make use of that in other
applications. But in this case, it won't help - it'll just make sg2
generate the icmp unreachable instead of router1.

Andy <fs at globalnetit.com>

More information about the Users mailing list