[strongSwan] XFRM fragmentation before encapsulation
avalentin at marcant.net
Mon Oct 21 11:34:03 CEST 2019
I did some tests with copy_df set. In all cases the fragmentation was done before encryption.
Even with namespaces and net.ipv4.ip_no_pmtu_disc=0 it was not possible to get fragmentation after encryption (like cisco is able to).
In my tests, I always used xfrm interfaces.
But if you find other possibilities, please let me know.
Am 19.10.19 um 23:42 schrieb Noel Kuntze:
> Hello list,
> Does the kernel support IP fragmentation before encapsulation in any way? Even with XFRM interfaces or VTIs?
> I looked at the XFRM code but did not find any code that deals with fragmenting any packets. If the packet is too large,
> it is just discarded with an error. If the MTU of the network path is large enough and the packet is pre fragmented by
> having an XFRM interface with a sufficiently low MTU, then do fragments get encapsulated?
> Any enlightement would be very appreciated!
> Kind regards
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4058 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users