Problem: My box does not forward ICMP Fragmentation needed packet to its masqueraded clients. Setup: I have a box with 3 nics equipped with kernel 2.6.11 and iptables 1.2.11. This box has two gateways, and the net workflow is as follows: eth0 <---> clients eth1 <---> standard internet traffic eth2 <---> VPN Details: Traffic on eth2 is masqueraded (required). The problem is that the packets (MTU 1500) must be encapsulated in IPSEC packets at the next hop where the MTU is the same, therefore the VPN server sends back ICMP packet telling that need to frag. ICMP packets are received by my box, but not forwarded to clients that continue to send 1500 bytes packets. Therefore the VPN site does not open. Is that a normal behavior? Should I add anything to iptables rules in order to make it forwarding ICMP Frag needed packets? Thank you very much! Iptables on eth2: Input,Output,Forward - Policy ACCEPT (nothing else) Nat - POSTROUTING anywhere anywhere -j MASQUERADE Current Workaround: - ifconfig eth2 mtu 1400 (I don't like it! :)
