-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Oh and what I forgot was, that the kernel doesn't fragment the ESP packet and just sends it, ignoring the discovered path mtu.
GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 23.08.2014 um 23:32 schrieb Johannes Hubertz: > Hello Noel and Listreaders, > > if your gateway is sending esp packets which need to be fragmented, the > only way to change this is by setting smaller mtu-sizes on the outgoing > interfaces of those hosts, which are sending these ESP-packets. The > behavior of ESP is totally independend from tcp-mss, sorry for my > misreading of your first mail. > > Pehaps you like to find out a maximum usable mtu-size by sending pings > with icnreasing paket-sizes (-s xyz) while watching with tcpdump, whats > coming back. Of course, icmp echo-request and echo-reply must not be > filtered on your gateways in INPUT and OUTPUT chains. And you need to > run tcpdump on the gateway(s) or on a router in between them. > > Happy working, > Have fun! > > Johannes > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJT+QsuAAoJEDg5KY9j7GZYiJAP/iSHOYYZQHNJ7H0EOLAqEvB5 mmR8BzSxS+Qm4f9xmQ3AdQjrRBMMmBFLfgj4SwUP8cwHpNiKudSpyb4MezuYp0Y4 hFGHk/zeBu/81esqZXpSb6pZvwQymUi/s9v3n3V9hvFBJbq5/7lTOf0PdcskYfca t0KfJvzx3E1m4DLCLM2ICuy57P9dvNWKLomoYCeQmXQeZYmuCBt+U6BZG6U8b3zd cCak2T4bSZ2zoD6oHjWzX0pO39yFhUhKd+5hCvPX/oDcbmTcI8Oh1iG9JoUdti6s aqOBiByuz2YVTDLNEkWTMfusmQWczsKhBEybqU0kjnxGQKFPXUWLaqEwSIF6dpsF VFvZKtoz3dCuyGqTLHvl3ZAfUlw6Wwn9kRhFBkxeuEYCXJt/tQPutGpcanFkokIZ a9HzdAXx9MZrBTkLxvwQBDjFr5bpQg8wrmkpiwiAApyUQ1lQ7hex3vpeJlQI5iZ/ LCTxvzhN9IJH7O+b+Ed/A0Ba6r2alJ1w1ja4ZV+ZQvw2tMwzLywAalS8S+tLOf9x or9re/Kbg07Irvpik9fm19aeFTlQRa23/WPSwKvA5P/xQws/sgE7NE84ZcAA47VT +OJQswXdnH5qwJyB2GDpdTsVZx8HJkwLDIRdq267UQI3LQf8qVeTh45SUPzzfidf KvE47Ev4VLDrqYAJ6grJ =Mhes -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
