[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] explicitly allow fragmented packets in ipsec environment - unset the DF bit


I've stumbled over something that appears to be a bit strange to me. 
I can send 15 Kbyte (I haven't tried larger packets yet but I'm sure they will go through the tunnel as well) pings to the other end of an ipsec (freeswan-freeswan) tunnel. Checking my fragmented packets the DF bit is not set. The other end of the tunnel, however, can "only" send 1500 Byte pings to me. Those packets have the DF bit set. I wonder how it is possible to unset the DF bit in an IP implementation. Or is there a difference between the various linux distributions? My ipsec box is a redhat while the firewall box right behind it is a SuSE box.
I also checked the /proc filesystem for an option to disable the DF bit, but could not find anything.

Thanks for any suggestions,


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here