[Openswan Users] MTU again (netkey fragmentation)

Benny Amorsen benny+usenet at amorsen.dk
Sat Mar 3 17:42:38 EST 2007

>>>>> "PW" == Paul Wouters <paul at xelerance.com> writes:

PW> Note that because of IPsec, it is not always possible for ICMP
PW> messages to get from a router in the middle back to the machine
PW> behind the IPsec server to tell it to lower its mtu. That's why we
PW> need to handle this on the ipsec server.

How does Openswan handle the case where an encrypted packet gets a
TOO-BIG ICMP reply? I thought it did PMTU discovery, and therefore
lowered MTU for that particular tunnel. Now that I think about it, I
realize that I am probably wrong.

So, why doesn't pluto just add a lower MTU to the ipsec route when it
receives TOO-BIG from a router in the middle?

I haven't hit the issue myself. I put mtu=1400 into every ipsec.conf,
and so far I haven't hit a network which could not fit in 1400 bytes
plus IPSEC headers. In the old days people put MTU=512 or even lower
into their PPP configurations to help interactivity, but with even
cell phones getting 3Mbps of bandwidth, that is now rare.


More information about the Users mailing list