Summary: | openswan-2.4.4: pmtu discovery on SA ESP/12d83c5d/54b87h97 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Ervin Peters <ervin.peters> |
Component: | [OLD] Unspecified | Assignee: | Alin Năstac (RETIRED) <mrness> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | pfeifer |
Priority: | High | ||
Version: | 2005.1 | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Ervin Peters
2006-02-27 08:09:51 UTC
Workaround: I set the mtu on the remote machine to 1492. I read something that pmtu-discovery might fail in some cases, because of misconfigured routers/gateways. it works for quite a while now. ervin I've assumed the maintainer position. I guess some ruter along the line filters ICMP "fragmentation needed" packets. Clamping MSS to PMTU won't help you since this field is present only in TCP packets and IPSec traffic is anything but TCP (keys are negociated through UDP and data packets are transferred using AH or ESP). overridemtu parameter is ignored when openswan use your kernel implementation of ipsec. openswan no longer creates ipsec%d interfaces and therefore cannot modify MTU: ipsec_setup: WARNING: overridemtu= is ignored when using the NETKEY stack Try to use tracepath to see if someone filters those precious ICMP packets. After you identify the guilty ones, tell them how braindead is their filtering policy. Bug closed as INVALID. |