[strongSwan] XFRM fragmentation before encapsulation

Andre Valentin avalentin at marcant.net
Mon Oct 21 20:49:54 CEST 2019

Hello Noel,

I always try to use pmtu discovery to bypass fragmentation. PMTU is working fine, but sometimes needs a bit fine tuning.

But for some setups fragmentation would be fine (APNs via IPsec/MTU 1500), before or after encryption.
I do not know about any linux solution for this, but am also interested.

Kind regargs,


Am 21.10.19 um 20:41 schrieb Noel Kuntze:
> Hello André,
> Please double check if you have before and after right in that email.
> I understand it as such that the behaviour I desire is what the kernel already does?
> Kind regards
> Noel
> Am 21.10.19 um 11:34 schrieb André Valentin:
>> Hi Noel,
>> I did some tests with copy_df set. In all cases the fragmentation was done before encryption.
>> Even with namespaces and net.ipv4.ip_no_pmtu_disc=0 it was not possible to get fragmentation after encryption (like cisco is able to).
>> In my tests, I always used xfrm interfaces.
>> But if you find other possibilities, please let me know.
>> Kind regards,
>> André
>> Am 19.10.19 um 23:42 schrieb Noel Kuntze:
>>> Hello list,
>>> Does the kernel support IP fragmentation before encapsulation in any way? Even with XFRM interfaces or VTIs?
>>> I looked at the XFRM code but did not find any code that deals with fragmenting any packets. If the packet is too large,
>>> it is just discarded with an error. If the MTU of the network path is large enough and the packet is pre fragmented by
>>> having an XFRM interface with a sufficiently low MTU, then do fragments get encapsulated?
>>> Any enlightement would be very appreciated!
>>> Kind regards
>>> Noel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4058 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191021/59e31ff4/attachment.bin>

More information about the Users mailing list