[Openswan Users] pmtud & pre-fragmentation in netkey
Ales Klok
orrie at seznam.cz
Thu Jun 14 13:15:55 EDT 2007
sari grunzweig-bitan wrote:
> Hi,
> does anyone know if pmtud & pre-fragmentation are supported in netkey?
> if so - which kernel version?
>
> Thanks,
> Sari
Hi Sari, I think PMTUD is supported by netkey, but there where a lot of
problems prior to 2.6.12. From time to time i can see something like
/kernel: pmtu// discovery on SA ESP/xxxxxxxxx/xxxxxxxx /in kernel log.
I can't tell if it's working properly though. I'm sure there is no
prefragmentation option at all up to 2.6.18 (i'm not using any newer
kernels with openswan). I needed a prefragmentation too when fighting
some dumb draytek vigor routers which don't support ESP fragments. From
what i've learned there are two ways to avoid ESP fragments. Either you
have to implement TCP MSS clamping using iptables, but large UDPs and
ICMPs are still doomed -> problems with windows AD kerberos auth or use
KLIPS with override MTU option.
Orrie
More information about the Users
mailing list