[Openswan Users] MTU again (netkey fragmentation)
Benny Amorsen
benny+usenet at amorsen.dk
Wed Feb 28 13:04:31 EST 2007
>>>>> "HS" == Harald Scharf <h.scharf at nestec.at> writes:
HS> The ICMP messages work well. The Problem is: the not-fragmented
HS> packets are too big for the ipsec tunnel. In the routing
HS> environment, without ipsec, the packets can get (in this example)
HS> 1420 bytes long. When I send the same packet over the tunnel,
HS> netkey answers with "fragmentation needed".
HS> One and the same packet is OK for routing, to large for ipsec
HS> transfer.
Yes, so the packet is too large. Therefore the source is told to send
smaller packets. The source ignores that message or never receives it.
The latter is much more likely. Therefore, fix your firewalls and your
problems go away.
If the ICMP messages had worked, you would not have had a problem.
Anyway, I am out of this discussion. Go read the RFC's.
/Benny
More information about the Users
mailing list