Re: xfrm: is pmtu broken with ESP tunneling?

[Hannes Frederic Sowa]

Hi!

On Mon, Feb 10, 2014 at 09:41:54AM +0100, Ortwin GlÃck wrote:
> I am using Openswan to configure an IPSec VPN (using the xfrm/netkey 
> backend). Large HTTP POST requests from the client seem to get stuck, 
> because the outgoing packets are 1530 bytes (before being wrapped into 
> ESP packets). The problem goes away by setting sysctl 
> net.ipv4.ip_no_pmtu_disc=1.

This setting will shrink the path mtu to min_pmtu when a frag needed icmp is
received. It sounds like we calculate the path mtu incorreclty in case of
fragmentation.

> May have something to do with it:
> The tunneled network is 10.6.6.6/32 and I am SNAT'ing some destinations 
> to that IP, so they get routed through the tunnel. Any other networks 
> are not to go through the tunnel.
> 
> iptables -t nat -A POSTROUTING -d "${R}" -j SNAT --to-source 10.6.6.6
> 
> It seems quite clear to me that xfrm is doing something wrong here.

Can you send a ip route get <ip> to the problematic target to see how
far off the calculated value is?

Thanks,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/