<If the inner gif/gre tunnel has a lower mtu, then it being a layer-3 tunnel will be able to fragment all incoming ip before sending it into the ipsec, which will not fragment for you. The clients will not have to change, nor any other protocol that sends ip via the double-tunnel.>
If a client and a server set up a new conversation over tcp. They both have an MTU of 1500 and DF=1 How will you fragment this, even being a L3 tunnel? /S On Tue, 11 Feb 2020 at 08:22, Janne Johansson <[email protected]> wrote: > Den mån 10 feb. 2020 kl 20:53 skrev Simen Stavdal <[email protected]>: > >> I think the more complete solution is to run some gif/gre inside ipsec >>> and set low-enough MTU on that one, so it can correctly fragment incoming >>> packets, and optionally rebuild the packets at the remote end, while also >>> giving you an idea of "state" on the link so you optionally can run things >>> like routing daemons or something that cares about and acts on tunnel >>> state. This would cause even lower MTU, but still allow all kinds of >>> traffic and not just the "popular" one. >>> >> >> So, how will your client/server know about this lower mtu? And df bit is >> set more often than not, so fragmentation is now allowed in a lot of cases. >> This is exactly the problem that started this thread... >> >>> >>> > If the inner gif/gre tunnel has a lower mtu, then it being a layer-3 > tunnel will be able to fragment all incoming ip before sending it into the > ipsec, which will not fragment for you. > The clients will not have to change, nor any other protocol that sends ip > via the double-tunnel. > > -- > May the most significant bit of your life be positive. >
