[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec, nat and mtu problem in 3.1

To: misc@openbsd.org
Subject: Re: ipsec, nat and mtu problem in 3.1
From: Rémi Guyomarch <rguyom@pobox.com>
Date: Mon, 17 Jun 2002 09:06:31 +0200
Content-Disposition: inline
References: <Pine.LNX.4.10.10206141702590.21758-100000@hammer.econsci.net>
User-Agent: Mutt/1.2.5.1i

On Fri, Jun 14, 2002 at 06:41:39PM -0700, Tor Roberts wrote:
...
> The problem is that when you go to certain web sites from network
> 192.168.6.0, they send back packets that when combined with the overhead
> of the ipsec tunnel, exceed the mtu of 1500 on the network. Router A will
> then send an icmp  message "unreachable - need to frag (mtu 1428)" to the
> web server. It seems like lots of people like to block icmp packets at
> their firewalls, so the packets don't get fragged, and the site becomes
> unreachable.
...

NAT doesn't change the packet size.

Solution 1: disable path mtu discovery on router A, you will get
fragmented packets. Remember that fragmented packets are bad when you
start to have packet drops.
(from /etc/sysctl.conf)
#net.inet.ip.mtudisc=0          # 0=disable tcp mtu discovery

Solution 2: change the default MSS on all the stations in
192.168.6.0/24 to something suitable for your setup.

Solution 3: add code in PF which fix the MSS on outgoing TCP
requests. The code and basic idea is in /usr/sbin/ppp, search the man
page and the source code for 'mss-fixup' or something like that.

-- 
Rémi

Follow-Ups:
- Re: ipsec, nat and mtu problem in 3.1
  - From: Tor Roberts <tor@econsci.net>

References:
- ipsec, nat and mtu problem in 3.1
  - From: Tor Roberts <tor@econsci.net>

Prev by Date: Re: Aperture, security
Next by Date: Re: Aperture, security
Prev by thread: ipsec, nat and mtu problem in 3.1
Next by thread: Re: ipsec, nat and mtu problem in 3.1
Index(es):
- Date
- Thread