Re: ipsec tunnels & packet length issues

From: Helge Oldach (helge.oldach_at_atosorigin.com)
Date: 10/29/03

  • Next message: Eric Masson: "Re: ipsec tunnels & packet length issues" 
    To: e-masson@kisoft-services.com (Eric Masson)
Date: Wed, 29 Oct 2003 10:04:46 +0100 (MET)

    Eric Masson:
    >>>>>> "Michael" == Michael Sierchio <kudzu@tenebras.com> writes:
    >
    > Michael> You should allow for an IP header with options and the ESP
    > Michael> header, which is smaller than 1450. For SKIP I use 1366 as the
    > Michael> advertised MTU, and for IPsec usually 1436, unless I need to
    > Michael> accomodate ESP and AH, in which case it's smaller.
    >
    >Ok, that's fine.
    >
    > Michael> It's a known feature of any sort of IP encapsulation.
    >
    >I understand.
    >
    >I'm no kernel hacker at all, I was just thinking about the ability for
    >the tunnel endpoint to send back an icmp packet type 3 code 4 when the
    >packet is too long to be encapsulated.

    Actually this is the case. Or better, it *should* be happening - I don't
    know if you see the ICMPs or not. Note that this must be done on the
    local tunnel endpoint, not the remote one.

    Helge
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Eric Masson: "Re: ipsec tunnels & packet length issues"

    Relevant Pages