[strongSwan] XFRM fragmentation before encapsulation

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Oct 22 00:14:28 CEST 2019

Hello André,

I just did my own tests and came to the following conclusion:
1) pmtu doesn't work in any of the cases.
2) By default, it doesn't work at all.
3) When you try to fix it by setting the MTU of the route to the remote IPsec router,
   you start getting fragments, but not of the inside IP packets, but the outside ESP/ESPINUDP packets
4) It only works when using an XFRM interface when the MTU of it is set correctly (max link MTU - IPsec overhead).
   Then you get ESP encapsulated IP fragments, like you want to.

This ia complete disaster.
It doesn't work OOTB and stops working once either of the peers moves between networks with a lower MTU.
There's currently no automatic solution for this and XFRM interfaces are too new to be a solution for setups with old kernels.

Kind regards


Everything else

Am 21.10.19 um 20:49 schrieb Andre Valentin:
> Hello Noel,
> I always try to use pmtu discovery to bypass fragmentation. PMTU is working fine, but sometimes needs a bit fine tuning.
> But for some setups fragmentation would be fine (APNs via IPsec/MTU 1500), before or after encryption.
> I do not know about any linux solution for this, but am also interested.
> Kind regargs,
> André
> Am 21.10.19 um 20:41 schrieb Noel Kuntze:
>> Hello André,
>> Please double check if you have before and after right in that email.
>> I understand it as such that the behaviour I desire is what the kernel already does?
>> Kind regards
>> Noel
>> Am 21.10.19 um 11:34 schrieb André Valentin:
>>> Hi Noel,
>>> I did some tests with copy_df set. In all cases the fragmentation was done before encryption.
>>> Even with namespaces and net.ipv4.ip_no_pmtu_disc=0 it was not possible to get fragmentation after encryption (like cisco is able to).
>>> In my tests, I always used xfrm interfaces.
>>> But if you find other possibilities, please let me know.
>>> Kind regards,
>>> André
>>> Am 19.10.19 um 23:42 schrieb Noel Kuntze:
>>>> Hello list,
>>>> Does the kernel support IP fragmentation before encapsulation in any way? Even with XFRM interfaces or VTIs?
>>>> I looked at the XFRM code but did not find any code that deals with fragmenting any packets. If the packet is too large,
>>>> it is just discarded with an error. If the MTU of the network path is large enough and the packet is pre fragmented by
>>>> having an XFRM interface with a sufficiently low MTU, then do fragments get encapsulated?
>>>> Any enlightement would be very appreciated!
>>>> Kind regards
>>>> Noel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191022/bbf64eb1/attachment.sig>

More information about the Users mailing list