Hi!
We have an Opensolaris 2009.6 - System acting as a router and terminating an IPSec-Tunnel. The IPSec-Tunnel obviously has an impact on the MTU. Some Internet servers do send large packets with DF bit set (typical PMTUD), but ignore the icmp 'dest unreachable / need to frag' - packets, Solaris sends out inreply (or maybe a firewall in front of the server blocks these icmp packets). So I'd rather accept suboptimal fragmentation than the situation, I currently have, i.e. the sender keeps on sending their too big packets and finally gives up. Not sure, how to tackle this. Since we can't parent everybody out there to please not block these icmp packets, we have to work around the issue. Ideally Solaris sends out the icmp type 3 code 4 as normal and if the same senders sends another packet with the same (too big) size (i.e. a simple retransmit), Opensolaris ignores the DF-bit and fragments the packet to get it thru the tunnel. How would I get there without rewriting the Solaris network stack? Maybe this problem is more common then I thought and there is already a workaround available? Cheers, Kai _______________________________________________ networking-discuss mailing list networking-discuss@opensolaris.org
