I would like that firewall when sess a packet which will be fragmented after the IPSEC encaps. Sends back to the client that the client should lower the MTU. Can FW-1 do that..
İt rejects the packet that will be fragmented and informs the clients (or ipso can do it dont know? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Esteban Serrano Alvarez Sent: Thursday, October 27, 2005 3:49 PM To: [email protected] Subject: Re: [FW-1] Fragemnting packets after IPSEC.... Hi. When this kind of problem is detected, TCP implementation should send an ICMP "Needed to fragment" packet in order to use a lower MTU - 1366 is a typical value. In some cases, if you are using NAT, it is possible that the ICPM Needed To Fragment packet would not reach its destination. Then, you may select a lower value of MTU on your clients if its possible. Esteban Serrano -----Mensaje original----- De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] En nombre de Cihan Subasi (Garanti Teknoloji) [EMAIL PROTECTED] Enviado el: jueves, 27 de octubre de 2005 9:43 Para: [email protected] Asunto: [FW-1] Fragemnting packets after IPSEC.... We have discovered that when client sends full IP packet and firewall fragments this packets due to the fact that packet size increases after the ipsec encapsulation. We want that clients knows that (with the help of the firewall) and firewall rejects the packet before encapsulating into the ipsec and clients resends this packet with a smaller size so it fits in one ipsec packets. This fragmentatrion causes if one fragment is lost and firewall request the whole packets back and also fragmentation and reassembiling eats from the CPU. Is there a way to do what we want...so that the client knows exactly how big the ip packet should and firewall do not need to fragment it... I am not sure whether I explaned the problem correctly but if you require any moer info I am ready to provide. Thanks *********************************************************** Cihan SUBASI Garanti Technology Internet ve Yazilim Hizmetleri Tel:(90)(212)4783426 GSM:(90)(533)(2750353) Fax:(90)(212)6576150 http://www.garantitechnology.com <http://www.garantitechnology.com/> mailto:[EMAIL PROTECTED] Success is a wonderful thing, but never underestimate the value of failure. Failure teaches many more things than success ever can. *********************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
