[strongSwan] day in the life of an Encapsulating Security Payload(ESP) packet in Linux

Martin T m4rtntns at gmail.com
Mon Feb 20 11:25:57 CET 2017


I have a simple site-to-site IPSec VPN where "server-A" is connected
to a "firewall-A" over an IPSec tunnel. In front of "server-A" there
is a switch with has a 1500 byte MTU interface facing the server.
Sometimes clients behind "firewall-A" send large packets to "server-A"
and server replies with ICMP "unreachable; frag needed" messages:

11:19:22.309296 IP > ICMP
unreachable - need to frag (mtu 1438), length 36 is the IP address on "server-A" eth0 interface and is the IP address of the end-client behind "firewall-A".

Am I correct that ICMP "unreachable; frag needed" messages are sent
only in case (server acting as) a router wants to route a package to
another interface, but this interface has a smaller MTU than the
package and router is not allowed to fragment this package because DF
flag is set? If yes, then "server-A" does not do any routing. It's
"left side" Strongswan configuration is following:


When I check the packet flow diagram in
then ESP packet should traverse "routing decision" step twice- first
when the packet is encapsulated and second time when it is already
decapsulated. However, in both occasions the destination IP address is, which is a local physical interface(eth0) in "server-A":

server-A# ip route get
local dev lo  src
    cache <local>

..and thus the routing is done via lo interface which has a 64KB MTU.

Could anybody explain the day in the life of an ESP packet in Linux
and why does it sent out those ICMP "unreachable; frag needed"


More information about the Users mailing list