Thanks Andreas! Does this solution consider the case when the original packet does not require fragmenation, however after adding the ESP header/trailer, it becomes larger than the ethernet interface MTU on the same host?
On Mon, Nov 9, 2009 at 9:13 PM, Andreas Steffen < [email protected]> wrote: > Hi, > > the 'overridemtu' was used by FreeS/WANs own KLIPS IPsec stack > and has in fact been deprecated with the native NETKEY IPsec stack of > the Linux 2.6 kernel. The best way to avoid IP fragmentation problems > is by enabling PMTU (Path MTU discovery) by setting the "do not > fragment" (DF) bit in IP packets and allowing the forwarding of the > "fragmentation required" ICMP (type 3, subtype 4) notifications in all > firewalls in between. > > Regards > > Andreas > > Reid Stidolph wrote: > > I am looking for a way to modify the MTU on the virtual tunnel interface. > > It seemed like there was a depricated setting 'overridemtu' that could be > > configured in ipsec.conf. However, when I configure: > > > > conn home > > left=192.168.1.30 > > leftsourceip=%config > > eap_identity=xxxxxxx > > leftid=xxxxxxx > > leftauth=eap > > leftfirewall=yes > > right=192.168.1.2 > > rightid=192.168.1.2 > > rightsubnet=172.16.90.0/24 > > auto=add > > ike=3des-sha1-md5-modp1024 > > overridemtu=1300 > > > > I get the following: > > > > r...@shuttle2:/usr/local/etc# ipsec start > > Starting strongSwan 4.3.5 IPsec [starter]... > > charon is already running (/var/run/charon.pid exists) -- skipping charon > > start > > # unsupported keyword 'overridemtu' in conn 'home' > > ### 1 parsing error (0 fatal) ### > > > > What is the proper way to set tunnel MTU? > > > > I am needing to reduce tunnel MTU sizes, in order to prevent ESP/UDP > > fragmentation (due to exceeding the ethernet interface MTU). Re-assymbly > of > > large amounts of ESP/UDP packets is burdening my gateway network > processors. > > > > Help is greatly appreciated. > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
