Re: IPsec PMTUD problem

2007-04-05 Thread Herbert Xu
On Tue, Apr 03, 2007 at 06:32:07PM +0200, Patrick McHardy wrote: > > I'm not sure I understand how this would work, the ICMP message > looks the same in both cases. Or are you suggesting to > differentiate based on the source of the ICMP message? Actually you're right, this can't work in the gene

Re: IPsec PMTUD problem

2007-04-05 Thread Herbert Xu
On Thu, Apr 05, 2007 at 02:16:53PM +0200, Patrick McHardy wrote: > > That sounds easier. I'm currently working in that area anyway, I'll > give it a try. Thanks Patrick! -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.

Re: IPsec PMTUD problem

2007-04-05 Thread Herbert Xu
On Thu, Apr 05, 2007 at 02:09:20PM +0200, Patrick McHardy wrote: > > > One possible solution is to not send MTU errors to ourselves since > > we it wouldn't give us any new information. We'd need to audit the > > users of icmp_send to make sure that there isn't a legitimate case > > where we'd wan

Re: IPsec PMTUD problem

2007-04-05 Thread Patrick McHardy
Herbert Xu wrote: > On Thu, Apr 05, 2007 at 02:09:20PM +0200, Patrick McHardy wrote: > >>>One possible solution is to not send MTU errors to ourselves since >>>we it wouldn't give us any new information. We'd need to audit the >>>users of icmp_send to make sure that there isn't a legitimate case

Re: IPsec PMTUD problem

2007-04-05 Thread Patrick McHardy
Herbert Xu wrote: > On Tue, Apr 03, 2007 at 06:32:07PM +0200, Patrick McHardy wrote: > >>I'm not sure I understand how this would work, the ICMP message >>looks the same in both cases. Or are you suggesting to >>differentiate based on the source of the ICMP message? > > > Actually you're right,

Re: IPsec PMTUD problem

2007-04-03 Thread Patrick McHardy
Herbert Xu wrote: > On Mon, Apr 02, 2007 at 04:10:25PM +0200, Patrick McHardy wrote: > >>I noticed a problem with PMTUD between two IPsec tunnel endpoints. >>When sending a packet larger than the PMTU with IP_DF from one >>tunnel endpoint to the other, xfrm4_output sends an ICMP frag. >>required w

Re: IPsec PMTUD problem

2007-04-03 Thread Herbert Xu
Hi Patrick: On Mon, Apr 02, 2007 at 04:10:25PM +0200, Patrick McHardy wrote: > I noticed a problem with PMTUD between two IPsec tunnel endpoints. > When sending a packet larger than the PMTU with IP_DF from one > tunnel endpoint to the other, xfrm4_output sends an ICMP frag. > required with the IP

IPsec PMTUD problem

2007-04-02 Thread Patrick McHardy
I noticed a problem with PMTUD between two IPsec tunnel endpoints. When sending a packet larger than the PMTU with IP_DF from one tunnel endpoint to the other, xfrm4_output sends an ICMP frag. required with the IPsec MTU. Since the addresses match the tunnel endpoints, this updates the MTU for the