Den tis 11 feb. 2020 kl 10:25 skrev Simen Stavdal <sstav...@gmail.com>:
> <If the inner gif/gre tunnel has a lower mtu, then it being a layer-3 > tunnel will be able to fragment all incoming ip before sending it into the > ipsec, which will not fragment for you. > The clients will not have to change, nor any other protocol that sends ip > via the double-tunnel.> > > If a client and a server set up a new conversation over tcp. > They both have an MTU of 1500 and DF=1 > How will you fragment this, even being a L3 tunnel? > You don't fragment DF=1 packets, you send "Fragmentation Needed and Don't Fragment was Set" back if they don't fit, like any L3 box would do regardless and they adapt or fail. That is what you should get for setting DF=1 -- May the most significant bit of your life be positive.
