When working on the PMTU handling of IPSec for IPv4, I found an ambiguous issue with PMTU handling. When using the manual keying, it's possible that several different secure policies use the same SA. The following is a such config file: spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec esp/tunnel/172.16.219.114-172.16.219.160/require ah/transport//require; spdadd 172.16.219.114 172.16.219.160 any -P out ipsec ah/transport//require; add 172.16.219.114 172.16.219.160 esp 24501 -m tunnel -E 3des-cbc "123456789012123456789012"; add 172.16.219.114 172.16.219.160 ah 24502 -m transport -A hmac-md5 "1234567890123456"; The "ah 24502" is used by both secure policies. So if we receive a <<ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED>> message related to this "ah 24502" SA, we can't make certain if this <<ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED>> message should be propagated to 10.1.1.0/24 or 172.16.219.114. I think this issue is inherent to the IPSec for IPv4 and can't be resolved without any more information. Am I missing some points? Welcome your comment! Thanks Forrest - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
