Hi, Dan
>> We have an Opensolaris 2009.6 - System acting as a router and
>> terminating an IPSec-Tunnel. The IPSec-Tunnel obviously has an impact
on
>> the MTU.
>> Some Internet servers do send large packets with DF bit set (typical
>> PMTUD), but ignore the icmp 'dest unreachable / need to frag' -
packets,
> Solaris sends out inreply (or maybe a firewall in front of the server
>> blocks these icmp packets).
>>
>> So I'd rather accept suboptimal fragmentation than the situation, I
>> currently have, i.e. the sender keeps on sending their too big
packets
>> and finally gives up.
>>
>> Not sure, how to tackle this.
>>
>> Since we can't parent everybody out there to please not block these
icmp
>> packets, we have to work around the issue.
>>
>> Ideally Solaris sends out the icmp type 3 code 4 as normal and if the
>> same senders sends another packet with the same (too big) size (i.e.
a
>> simple retransmit), Opensolaris ignores the DF-bit and fragments the
>> packet to get it thru the tunnel.
>>
>> How would I get there without rewriting the Solaris network stack?
Maybe
>> this problem is more common then I thought and there is already a
>> workaround available?
>Lots of poorly-configured firewalls drop PMTUD. :
>
>Have you considered explicitly lowering the MTU of your tunnel(s)
("ifconfig
>ip.tun0 mtu 1376")? That way, the only nodes who need to worry about
PathMTU
>discovery are *internal* nodes, which you presumably have more control
over?
Mmh - either I misunderstood the whole PMTUD-concept or I poorly
explained my situation:
Sending Mailserver<->Solaris<->(ipsec-tunnel)<->VPN-Gateway<->receiving
mailserver
Here's the snoop on the wan-interface (i.e. towards the sending
mailserver):
216.104.20.23 -> 213.172.123.138 SMTP C port=58657 Received: from out02
213.172.123.138 -> 216.104.20.23 ICMP Destination unreachable (Needed to
fragment: next hop MTU = 1402)
216.104.20.23 -> 213.172.123.138 SMTP C port=59044 Received: from out02
213.172.123.138 -> 216.104.20.23 ICMP Destination unreachable (Needed to
fragment: next hop MTU = 1402)
:
1)Sending mailserver sends Packet with 1450 Byte and DF bit set.
2)Solaris would have to frag the packet to get it thru the tunnel, but
DF bit is set. So Solaris sends back the icmp need to frag (with next
hop MTU=1402) to the sending mailserver.
3) sending mailserver ignores info and keeps sending big packets.
Lowering the MTU on the tunnel interfaces wouldn't change the situation
- it only would lower the next hop MTU info in the icmp-Packet, wouldn't
it?
Cheers,
Kai
_______________________________________________
networking-discuss mailing list
networking-discuss@opensolaris.org
