Do you ever have issues with the IP fragments being broken across broken NAT implementations... or are the IP fragmensts encapsulated in the IPSec Packets ? i.e. gif fragments and IPsec wraps the gif packet + ip fragment in 2 encapsulated ipsec packets ?
On Tue, 23 Jul 2024 at 08:54, Claudio Jeker <[email protected]> wrote: > > On Tue, Jul 23, 2024 at 08:51:19AM +0100, Tom Smyth wrote: > > Folks, > > > > As an ISP we often have to manage wans for customers where we don't > > have access to customers firewalls, and the customers expect full > > sized frames / packets across the wan, > > the issue is when we used 3rd party networks with constrained MTUs, > > while we can adjust TCP MSS if we control the network devices putting > > packets across the VPN, this is not always possible, > > > > IP fragmentation (sometimes) works but it breaks load balancing > > (hashes of IP fragments do not match the hashes for original packet > > being sent. but sometimes is not good enough. > > > > Possible solutions which we have seen in in other vendors > > MLPPP on L2TP / PPPoE with MRRU (Maximum Received Reconstructed Unit) > > which allowed for packet splitting outbound and reconstruction on > > inbound > > > > OpenVPN have UDP fragment option (which works by encapsulating a > > packet across 2 equal sided packets once the encapsulated packet would > > be greater than 1/2 the size of the Max UDP fragment, ( packets would > > have the same size, same src & destination port and src and > > destination ip (so packet ordering / LACP load balancing path would be > > consistent or at least more consistent for those packets > > > > OpenVPN & tap interface performance is not brilliant , so I'm hopping > > there is a kernel driver device that would allow > > > > I was wondering if anyone else ran into this issue and resolved it > > with an existing device driver in OpenBSD... > > > > I run gif tunnels over ipsec with MTU 1500 and the stack just does the > fragmentation. Not sure if the performance of that is much better than > OpenVPN. > > -- > :wq Claudio -- Kindest regards, Tom Smyth.
