On Tue, 27 Feb 2018, Xinwei Hong wrote:
I have a route-based vpn setting between racoon and libreswan. The racoon side has MTU=1476, and libreswan has MTU=1332. When I ping with DF flag and pktsize larger than 1332 from libreswan side, pkt would be dropped as expected. However, from racoon side, ping with DF flag and pktsize=1400 could still reach host on libreswan side. Any idea why the vti01 does not drop the big pkt when DF is set?
I'm not an expert on the kernel VTI implementation, other then knowing it is being completely rewritten.... The VTI device MTU differs from kernel version to kernel version. I'm not sure why. libreswan doesn't change the MTU. I assume raccoon does not either? (Does it even support vti, or are you doing this manually?) In 3.23 we added support for nopmtudisc=yes|no (default no) which could maybe be used to change some of this behaviour? Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
