Pascal Hambourg wrote:
>
> Probably because the LAN hosts won't send packets bigger than their MTU.
> Besides, they will use that local MTU to compute the MSS they send to
> the other hosts when establishing a TCP connection, so the other hosts
> won't send packets bigger than the transmitted MSS + TCP header size.
>
> When you reduce the firewall's external interface MTU, packets forwarded
> from a LAN host to the outside bigger than the MTU (plus IPSec the
> encapsulation) will be fragmented if they have the DF (Don't Fragment)
> flag cleared, or discarded with an ICMP fragmentation-needed error
> message otherwise. However it won't change the TCP MSS transmitted by
> LAN hosts unless they use Path MTU Discovery (PMTU).
So what you are saying is that is does not matter what the MTU on
the LAN hosts' packets is because they will be wrapped in the
IPSec encapsulation anyway? I could set a lower MTU on the
external interfaces of the two IPSec firewalls and then it should
all work?
> If you mean the firewall's internal interface, I'm afraid this would be
> ineffective, because it won't force the LAN hosts to send smaller
> packets : the T in MTU stands for "Transmit", which applies to packets
> transmitted (either locally generated or forwarded) by the local host on
> this interface.
I think I am beginning to understand this better. You see, I
originally thought the LAN hosts and the internal interface of
the firewall used the lowest one between the two. :-/
--
George Borisov
DXSolutions Ltd
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org