Hi Noel, I did some tests with copy_df set. In all cases the fragmentation was done before encryption. Even with namespaces and net.ipv4.ip_no_pmtu_disc=0 it was not possible to get fragmentation after encryption (like cisco is able to). In my tests, I always used xfrm interfaces.
But if you find other possibilities, please let me know. Kind regards, André Am 19.10.19 um 23:42 schrieb Noel Kuntze: > Hello list, > > Does the kernel support IP fragmentation before encapsulation in any way? > Even with XFRM interfaces or VTIs? > I looked at the XFRM code but did not find any code that deals with > fragmenting any packets. If the packet is too large, > it is just discarded with an error. If the MTU of the network path is large > enough and the packet is pre fragmented by > having an XFRM interface with a sufficiently low MTU, then do fragments get > encapsulated? > > Any enlightement would be very appreciated! > > Kind regards > > Noel >
smime.p7s
Description: S/MIME Cryptographic Signature
