Hello list,
2.6 + IPsec causes problems for connections that need fragmentation. My
setup:
desktop masq'ing $router
2.4.24+ipsec 2.6.1
10.x.y.25--------10.x.y.1 MASQ a.b.c.d ---> Internet
Now if a packet from the Internet larger than 1444 bytes arrives (which is
perfectly legal), $router will send the rather odd response "icmp
a.b.c.d unreachable, need to frag (1444 bytes)". So you get the $router tell
that $router is unreachable when a packet reaches the $router.
ip_output.c says:
if (skb->len > mtu) {
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
ret = -EMSGSIZE;
So if I understand this correctly, the IPsec tunnel relies on the end to end
MTU detection and simply drops packets when they're too large to
encapsulate. However, in a masq'ing/IPsec combination, this won't work. The
fragmentation is needed for a local process (namely after de-masq'ing the
packet when the kernel finds out it needs to encrypt the packet) and I think
the FRAG_NEEDED is illegal here.
V.
--
http://www.openoffice.nl/ Open Office - Linux Office Solutions
Valentijn Sessink valentyn+sessink@nospam.openoffice.nl
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
