[Openswan Users] MTU again (netkey fragmentation)
Benny Amorsen
benny+usenet at amorsen.dk
Sat Mar 3 17:42:38 EST 2007
>>>>> "PW" == Paul Wouters <paul at xelerance.com> writes:
PW> Note that because of IPsec, it is not always possible for ICMP
PW> messages to get from a router in the middle back to the machine
PW> behind the IPsec server to tell it to lower its mtu. That's why we
PW> need to handle this on the ipsec server.
How does Openswan handle the case where an encrypted packet gets a
TOO-BIG ICMP reply? I thought it did PMTU discovery, and therefore
lowered MTU for that particular tunnel. Now that I think about it, I
realize that I am probably wrong.
So, why doesn't pluto just add a lower MTU to the ipsec route when it
receives TOO-BIG from a router in the middle?
I haven't hit the issue myself. I put mtu=1400 into every ipsec.conf,
and so far I haven't hit a network which could not fit in 1400 bytes
plus IPSEC headers. In the old days people put MTU=512 or even lower
into their PPP configurations to help interactivity, but with even
cell phones getting 3Mbps of bandwidth, that is now rare.
/Benny
More information about the Users
mailing list