ipsec tunnels & packet length issues
Helge Oldach
helge.oldach at atosorigin.com
Wed Oct 29 01:04:58 PST 2003
Eric Masson:
>>>>>> "Michael" == Michael Sierchio <kudzu at tenebras.com> writes:
>
> Michael> You should allow for an IP header with options and the ESP
> Michael> header, which is smaller than 1450. For SKIP I use 1366 as the
> Michael> advertised MTU, and for IPsec usually 1436, unless I need to
> Michael> accomodate ESP and AH, in which case it's smaller.
>
>Ok, that's fine.
>
> Michael> It's a known feature of any sort of IP encapsulation.
>
>I understand.
>
>I'm no kernel hacker at all, I was just thinking about the ability for
>the tunnel endpoint to send back an icmp packet type 3 code 4 when the
>packet is too long to be encapsulated.
Actually this is the case. Or better, it *should* be happening - I don't
know if you see the ICMPs or not. Note that this must be done on the
local tunnel endpoint, not the remote one.
Helge
More information about the freebsd-net
mailing list