With libreswan
# rpm -qa | grep libreswan
libreswan-5.1-6.0.2.el8.x86_64
and .conf
conn private-or-clear
type=transport
auto=route
ikev2=insist
nic-offload=packet
negotiationshunt=passthrough
failureshunt=passthrough
authby=null
rightid=%null
leftid=%null
right=%opportunisticgroup
left=192.201.82.1
conn private-or-clear-2
type=transport
auto=route
ikev2=insist
nic-offload=packet
negotiationshunt=passthrough
failureshunt=passthrough
authby=null
rightid=%null
leftid=%null
right=%opportunisticgroup
left=192.201.82.2
When MTU of the interface is say 2300
Anything above MTU(TCP MSS) fails with ipsec enabled(-l) while running udp
traffic
iperf3 -c 192.201.82.1 -B 192.201.82.3 -u -t 10 -b 100G -l 8192 and passes with
ipsec disabled.
Though both case I see warning-
UDP block size 8192 exceeds TCP MSS 2226, may result in fragmentation / drops
But traffic goes through as usual without IPsec.
With IPsec enabled
Is it that Libreswan doesn’t allow fragment ESP packets, if the encrypted
packet exceeds MTU, packets are getting dropped (silent fail).
In our case we have hardware offloads enabled(Nvidia CX7 NIC) and IP fragments
are handled via a software fallback.
I am not very clear on if there is a way to enable fragmented packets to still
go through in clear basically to have a similar behavior as I see without
ipsec. What are the options in ipsec.conf for pmtu discovery/IP fragments.
Thanks
Mamta
_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]
