[Openswan Users] MTU again (netkey fragmentation)

[Paul Wouters]

On Wed, 28 Feb 2007, Harald Scharf wrote:

> The ICMP messages work well.
> The Problem is: the not-fragmented packets are too big
> for the ipsec tunnel.
> In the routing environment, without ipsec, the packets
> can get (in this example) 1420 bytes long.
> When I send the same packet over the tunnel, netkey
> answers with "fragmentation needed".

IPsec adds another header, making the packet bigger. Lower your mtu,
pref on both ends.

Paul