ipsec tunnels & packet length issues
Michael Sierchio
kudzu at tenebras.com
Fri Oct 24 09:19:04 PDT 2003
Eric Masson wrote:
> If i reduce lan interface mtu on "Host" to approximately 1450, the
> tunnel works fine, so it seems that "Tunnel Endpoint" can't process
> correctly packets with a size of 1500 bytes.
You should allow for an IP header with options and the ESP header,
which is smaller than 1450. For SKIP I use 1366 as the advertised
MTU, and for IPsec usually 1436, unless I need to accomodate ESP
and AH, in which case it's smaller.
> If more information regarding this issue is needed, just ask.
>
> Is this a known issue ?
It's a known feature of any sort of IP encapsulation.
More information about the freebsd-net
mailing list