On 2020-02-11, Simen Stavdal <[email protected]> wrote: ><If the inner gif/gre tunnel has a lower mtu, then it being a layer-3 > tunnel will be able to fragment all incoming ip before sending it into the > ipsec, which will not fragment for you. > The clients will not have to change, nor any other protocol that sends ip > via the double-tunnel.> > > If a client and a server set up a new conversation over tcp. > They both have an MTU of 1500 and DF=1 > How will you fragment this, even being a L3 tunnel?
If you encapsulate the packets you can run it like this: The "outer" packets get fragmented. The "inner" packets stay full-size <----1500 byte inner----> <--encap1--> <--encap2--> The other end reassembles the outer packets before decapsulating the (full size) inner packet. I've done this personally with full-size ethernet frames through an ipsec+etherip bridge, I think it also works for L3 encap.
