[Openswan Users] MTU again (netkey fragmentation)

Paul Wouters paul at xelerance.com
Thu Mar 1 14:22:47 EST 2007

On Fri, 2 Mar 2007, Cameron Davidson wrote:

> It shouldn't be - the server is supposed to resend the packet with a
> smaller size. That is the entire point of DF and PMTU discovery.
> Most likely Benny is right - the "server" (you did say it was XP at both
> ends) is not getting the ICMP fragmentation needed messages.
> Have you run wireshark on the server? Have you checked the firewalls on
> the machine receiving these messages?

Note that because of IPsec, it is not always possible for ICMP messages
to get from a router in the middle back to the machine behind the IPsec
server to tell it to lower its mtu. That's why we need to handle this
on the ipsec server.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list