Date: Fri, 25 May 2001 12:23:03 +1000 (EST) From: Rowan Crowe <rowan@sensation.net.au> To: freebsd-isp@FreeBSD.ORG Subject: Re: Cisco <-> FreeBSD IP tunnels Message-ID: <Pine.BSF.4.21.0105251212050.16571-100000@velvet.sensation.net.au> In-Reply-To: <Pine.BSF.4.21.0105251125460.16571-100000@velvet.sensation.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 25 May 2001, Rowan Crowe wrote: > Hello, > > I'm having a problem with Cisco NOS style tunnels, running the iptunnel.c > program at the FreeBSD end. It seems you can't configure the MTU on the > Cisco, so the effective MTU ends up being 1480 bytes (1500 minus 20 bytes > encapsulation overhead). This is causing BIG problems with MTU path > discovery, and web sites that support PMTU but have a firewall somewhere > blocking more ICMP than it should. This sentence pretty much sums it up: "However, increasing the tunnel MTU isn't feasible if the links over which the tunnel packets are sent are smaller than 1500 bytes, because the DF bit of the original packet is copied to the tunnel packet header. In this scenario, the router can encapsulate the original packet, but can't fragment the tunnel packet, since the DF bit is set." As long as the Cisco copies the DF bit in the header of the original packet, to the DF bit of the encapsulated header packet, its tunnel will always be limited to an MTU of 20 lower than the interface it is going out (and in practical terms, all other links to the destination). FreeBSD's tunnel program seems to be quite happy to turn a 1500 byte packet into an encapsulated packet of 1520, which is then fragmented by the kernel into 2 packets as it passes over ethernet, and comes out of the tunnel as an *intact* 1500 byte packet. The fragmentation is 'outside' the tunnel, and is effectively seamless to each end. With a Cisco, the 1500 byte packet is fragmented *before* it enters the tunnel (due to 1480 MTU), and will leave the tunnel as 2 fragments also. If the DF bit is set, then the packet does not enter the tunnel at all (it's dropped) and an ICMP "need to frag - MTU 1480" message is sent. This annoying behaviour would be non existent if the DF bit was not copied over to the encapsulated header... The only solution I can think of at the moment is to find something which will encapsulate a 1500 byte packet properly, possibly FreeBSD to FreeBSD... it's messy though, since it's not my network at the other end. Cheers. -- Rowan Crowe http://www.rowan.sensation.net.au/ Sensation Internet Services http://info.sensation.net.au/ Melbourne, Australia Phone: +61-3-9329-5498 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105251212050.16571-100000>