[Openswan Users] MTU again (netkey fragmentation)
Harald Scharf
h.scharf at nestec.at
Wed Feb 28 12:58:02 EST 2007
The ICMP messages work well.
The Problem is: the not-fragmented packets are too big
for the ipsec tunnel.
In the routing environment, without ipsec, the packets
can get (in this example) 1420 bytes long.
When I send the same packet over the tunnel, netkey
answers with "fragmentation needed".
One and the same packet is OK for routing, to large for ipsec transfer.
Regards
Harald
-----Ursprüngliche Nachricht-----
Von: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Im Auftrag von Benny Amorsen
Gesendet: Mittwoch, 28. Februar 2007 18:39
An: users at lists.openswan.org
Betreff: Re: [Openswan Users] MTU again (netkey fragmentation)
>>>>> "HS" == Harald Scharf <h.scharf at nestec.at> writes:
HS> I read about, that KLIPS removes the DF Flag from the IP Header,
HS> before
HS> the packet goes into the tunnel.
HS> Why does`nt netkey?
If the source asks to not have its packets fragmented, it seems a bit
silly to fragment them. Something blocks ICMP in your setup; fix that
and the problem goes away.
/Benny
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list