[strongSwan] XFRM fragmentation before encapsulation
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Oct 21 20:41:16 CEST 2019
Hello André,
Please double check if you have before and after right in that email.
I understand it as such that the behaviour I desire is what the kernel already does?
Kind regards
Noel
Am 21.10.19 um 11:34 schrieb André Valentin:
> Hi Noel,
>
> I did some tests with copy_df set. In all cases the fragmentation was done before encryption.
> Even with namespaces and net.ipv4.ip_no_pmtu_disc=0 it was not possible to get fragmentation after encryption (like cisco is able to).
> In my tests, I always used xfrm interfaces.
>
> But if you find other possibilities, please let me know.
>
> Kind regards,
>
> André
>
> Am 19.10.19 um 23:42 schrieb Noel Kuntze:
>> Hello list,
>>
>> Does the kernel support IP fragmentation before encapsulation in any way? Even with XFRM interfaces or VTIs?
>> I looked at the XFRM code but did not find any code that deals with fragmenting any packets. If the packet is too large,
>> it is just discarded with an error. If the MTU of the network path is large enough and the packet is pre fragmented by
>> having an XFRM interface with a sufficiently low MTU, then do fragments get encapsulated?
>>
>> Any enlightement would be very appreciated!
>>
>> Kind regards
>>
>> Noel
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191021/90ec081d/attachment-0001.sig>
More information about the Users
mailing list