Date: Wed, 29 Oct 2003 10:04:46 +0100 (MET) From: Helge Oldach <helge.oldach@atosorigin.com> To: e-masson@kisoft-services.com (Eric Masson) Cc: freebsd-net@freebsd.org Subject: Re: ipsec tunnels & packet length issues Message-ID: <200310290904.KAA09027@galaxy.hbg.de.ao-srv.com> In-Reply-To: <86n0bllhez.fsf@t39bsdems.interne.kisoft-services.com> from Eric Masson at "Oct 28, 2003 12:40: 4 pm"
index | next in thread | previous in thread | raw e-mail
Eric Masson: >>>>>> "Michael" == Michael Sierchio <kudzu@tenebras.com> writes: > > Michael> You should allow for an IP header with options and the ESP > Michael> header, which is smaller than 1450. For SKIP I use 1366 as the > Michael> advertised MTU, and for IPsec usually 1436, unless I need to > Michael> accomodate ESP and AH, in which case it's smaller. > >Ok, that's fine. > > Michael> It's a known feature of any sort of IP encapsulation. > >I understand. > >I'm no kernel hacker at all, I was just thinking about the ability for >the tunnel endpoint to send back an icmp packet type 3 code 4 when the >packet is too long to be encapsulated. Actually this is the case. Or better, it *should* be happening - I don't know if you see the ICMPs or not. Note that this must be done on the local tunnel endpoint, not the remote one. Helgehome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310290904.KAA09027>