Re: DF bit - Dont Fragment
Stripping the DF Bit should be enough to solve this problem... as the
routers will then fragment the packets as required.
Or have I missed something?
On 22.06.2004, at 09:54, Jean-Francois Dive wrote:
Just to mention but when you have pmtu occuring in a vpn context, you
have a problem if the lower mtu is in the tunneled packet path:
the icmp will be sent to the originator of the
encapsulated packet which is the vpn box which itself cant send it back
to the client and so pmtu is borken. In ipsec, there is a way (which
consist of maintaining an mtu value per outgoing SA), but for cipe i
dont know how they deal with it. Another trick is to change the tcp mss
value on the fly, --clamp-to-pmtu with iptables if i am right.