Hi Valery,
This is not a different problem, because whatever solution we choose, we
must ensure the whole system is functional: both IKE and IPsec. Routers
that drop IKE fragments will not hesitate to drop ESP/UDP fragments, too.
Thanks for pointing out Sec. 8 to me. I suppose you are right
Hi Yaron
IPsec usually reduces the effective PMTU by 50-100 bytes. There are ways to
overcome this:
- the encrypting gateway can send ICMP fragmentation needed packets to the
origin of the packet
- the encrypting gateway can fiddle with the MSS on TCP SYN and SYN-ACK to
reduce the size of
