Date: Wed, 29 Oct 2003 10:04:46 +0100 (MET) From: Helge Oldach <helge.oldach@atosorigin.com> To: e-masson@kisoft-services.com (Eric Masson) Cc: freebsd-net@freebsd.org Subject: Re: ipsec tunnels & packet length issues Message-ID: <200310290904.KAA09027@galaxy.hbg.de.ao-srv.com> In-Reply-To: <86n0bllhez.fsf@t39bsdems.interne.kisoft-services.com> from Eric Masson at "Oct 28, 2003 12:40: 4 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Eric Masson: >>>>>> "Michael" == Michael Sierchio <kudzu@tenebras.com> writes: > > Michael> You should allow for an IP header with options and the ESP > Michael> header, which is smaller than 1450. For SKIP I use 1366 as the > Michael> advertised MTU, and for IPsec usually 1436, unless I need to > Michael> accomodate ESP and AH, in which case it's smaller. > >Ok, that's fine. > > Michael> It's a known feature of any sort of IP encapsulation. > >I understand. > >I'm no kernel hacker at all, I was just thinking about the ability for >the tunnel endpoint to send back an icmp packet type 3 code 4 when the >packet is too long to be encapsulated. Actually this is the case. Or better, it *should* be happening - I don't know if you see the ICMPs or not. Note that this must be done on the local tunnel endpoint, not the remote one. Helge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310290904.KAA09027>