From owner-freebsd-net Fri Jan 4 1:26:40 2002 Delivered-To: freebsd-net@freebsd.org Received: from jane.inty.net (jane.inty.net [195.224.93.242]) by hub.freebsd.org (Postfix) with ESMTP id 356E037B41D for ; Fri, 4 Jan 2002 01:26:28 -0800 (PST) Received: from inty.hq.inty.net (inty.hq.inty.net [213.38.150.150]) by jane.inty.net (8.11.3/8.11.3) with ESMTP id g049QNH50099 for ; Fri, 4 Jan 2002 09:26:23 GMT Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.12.1/8.12.1) with SMTP id g049QMiv094029 for ; Fri, 4 Jan 2002 09:26:22 GMT From: "Tariq Rashid" To: Subject: KAME ipsec and mtu (via gif) - no icmp frag needed Date: Fri, 4 Jan 2002 09:27:33 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20020104085712.GA88991@cairo.zsat.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-Sender-IP: 10.0.1.156 X-suppress-rcpt-virus-notify: yes X-Skip-Virus-Check: yes X-Virus-Checked: 36455 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org this is a question about the correct way to handle MTUs and fragmentation when using IPSEC on FreeBSD4.4R I'm routing via a local gif0 tunnel which has aliases added to it for multiple destinations... and the KAME ipsec code grabs the packets just after they enter the gif0 device. In fact the ipsec SAs are handled by a port of the openbsd isakmpd. There is no problem here. Now, a standard ping packet is small enough to go through the ipsec encapsulation and not require fragmentation. However, a larger ping packet, or say, an ftp transfer, does cause fragmentation to occur such that one normal packet is broken into two packets and then the ipsec headers are added. The resulting ipsec esp packets are below the mtu limit (of 1500). This is also fine. But i was wondering why the kame ipsec code does not send an icmp error message to the sender informing it of the need to defragment. The sender would then send smaller chunks resulting in no fragmentation. I think this is normal for plain IP communication? any ideas gratefully received... or am i configuring it wrong? i have experimented with the mtu of the external interfaces and the gif devices too. tariq ----------------------------------------------- Information in this electronic mail message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to Intelligent Network Technology Ltd Terms & Conditions. ----------------------------------------------- Take part in the intY 2001 Email Usage survey online at http://www.inty.net/email/survey.html ----------------------------------------------- intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message