[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AW: [suse-security] explicitly allow fragmented packets in ipsec environment - unset the DF bit
> > I can send 15 Kbyte (I haven't tried larger packets yet but
> I'm sure they
> > will go through the tunnel as well) pings to the other end
> of an ipsec
> > (freeswan-freeswan) tunnel. Checking my fragmented packets
> the DF bit is
> > not set. The other end of the tunnel, however, can "only"
> send 1500 Byte
> > pings to me. Those packets have the DF bit set.
> The following is taken from
> TCPMSS target support
> This option adds a `TCPMSS' target, which allows you to alter the
> MSS value of TCP SYN packets, to control the maximum size for that
> connection (usually limiting it to your outgoing interface's MTU
> minus 40).
> This is used to overcome criminally braindead ISPs or servers which
> block ICMP Fragmentation Needed packets. The symptoms of this
> problem are that everything works fine from your Linux
> firewall/router, but machines behind it can never exchange large
> This sounds quite a bit like your problem. One of your
> systems seems to be
> unable to send fragmented packets. And as 1500 bytes is
> probably your MTU,
> the host that cannot send fragmented packets cannot send
> packets larger than
> 1500 bytes. Maybe this is simply because you yourself are
> blocking the "ICMP
> Fragmentation Needed packets", so check your firewall
Don't need to. ICMP 3 allowed everywhere.
> If that
> doesn't help, maybe this kernel option will.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here