Need to remove the Don't Fragment bit

To: debian-firewall@lists.debian.org
Subject: Need to remove the Don't Fragment bit
From: "koba@koba.com.ar" <koba@koba.com.ar>
Date: Mon, 27 Oct 2003 08:24:31 -0300
Message-id: <[🔎] 3F9D006F.9040204@koba.com.ar>

Hello,

I'm experimenting with ipsec+transport_mode+ipip_tunnels and I foundthat a big MTU on the ipip interface is a problem when ipsec is workingin transport mode, I had to lower it to the real MTU - overheads. Theipip tunnel has pmtu disabled so packet fragmentation inside the ipsecvirtual interface is allowed and the "real" packet on the wire is notfragmented.Now I'm having a problem. Usually forwarded packets come with the DFbit set, this is not a problem because PMTU works perfectly on theLANs+VPNs, but when packets come from the Internet (MASQUERADE) with theDF bit set and they need to go through a tunnel and get fragmented theInternet hosts usually don't get the corresponding icmp message and pmtubecomes useless. I solved this by lowering the MSS of the packetsexchanged between VPNS and the Internet.I'd like to remove the DF on the packets that need to go through theVPNs to see what happens. Is this possible with an iptables module? Isearched the web and the patch-o-matic list and I can't realize whichone is the one I need.

	Comments?

	Thanks in advance to everyone.

--
Koba

Reply to:

Prev by Date: Re: AW: Firewall Planning
Next by Date: Re: Firewall Planning
Previous by thread: Re: AW: Firewall Planning
Next by thread: port forwarding question
Index(es):
- Date
- Thread