From owner-freebsd-net@FreeBSD.ORG Wed Oct 29 08:22:24 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D32E116A4CE for ; Wed, 29 Oct 2003 08:22:24 -0800 (PST) Received: from hotmail.com (law12-oe47.law12.hotmail.com [64.4.18.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id D75BE43FBF for ; Wed, 29 Oct 2003 08:22:21 -0800 (PST) (envelope-from company2210@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 29 Oct 2003 08:22:21 -0800 Received: from 81.17.78.11 by law12-oe47.law12.hotmail.com with DAV; Wed, 29 Oct 2003 16:22:21 +0000 X-Originating-IP: [81.17.78.11] X-Originating-Email: [company2210@hotmail.com] From: "Company 2210" To: References: <200310290904.KAA09027@galaxy.hbg.de.ao-srv.com> Date: Wed, 29 Oct 2003 16:22:29 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 Message-ID: X-OriginalArrivalTime: 29 Oct 2003 16:22:21.0744 (UTC) FILETIME=[D4866300:01C39E38] Subject: Re: ipsec tunnels & packet length issues X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Oct 2003 16:22:24 -0000 So, what would be a suitable MTU value for an ESP encrypted packet using Blowfish? Thanks ----- Original Message ----- From: "Helge Oldach" To: "Eric Masson" Cc: Sent: Wednesday, October 29, 2003 9:04 AM Subject: Re: ipsec tunnels & packet length issues > Eric Masson: > >>>>>> "Michael" == Michael Sierchio writes: > > > > Michael> You should allow for an IP header with options and the ESP > > Michael> header, which is smaller than 1450. For SKIP I use 1366 as the > > Michael> advertised MTU, and for IPsec usually 1436, unless I need to > > Michael> accomodate ESP and AH, in which case it's smaller. > > > >Ok, that's fine. > > > > Michael> It's a known feature of any sort of IP encapsulation. > > > >I understand. > > > >I'm no kernel hacker at all, I was just thinking about the ability for > >the tunnel endpoint to send back an icmp packet type 3 code 4 when the > >packet is too long to be encapsulated. > > Actually this is the case. Or better, it *should* be happening - I don't > know if you see the ICMPs or not. Note that this must be done on the > local tunnel endpoint, not the remote one. > > Helge > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >