ipsec tunnel MTU issue [was: ipsec double lookup]

[Marco Berizzi]

Me again.
I think I have found where the issue is. I have updated the
network schema:

customer private network 10.0.0.0/8
|
|
+ipsec customer gateway (nokia/checkpoint)
|==MTU=1444
|
|
|---ipsec tunnel 10.0.0.0/8<->172.29.128.0/28 (3DES/MD5)
|
|
|    +---ipsec gateway (pleiadi)---priv net (172.16.0.0/23)
|   /
|  /---ipsec tunnel 10.0.0.0/8<->172.16.0.0/23(AES/MD5/IPCOMP)
| /    ipsec tunnel 172.18.1.0/24<->172.16.0.0/23(AES/MD5/IPCOMP)
|/=====MTU=1428
+upgraded ipsec gateway (mimosa) from klips to 2.6.16
|
|
|
priv network (172.18.1.0/24)

Running 'ping 10.16.24.117 -M do -s 1472 -c 3' from a
172.18.1.0 host I got this result:
[EMAIL PROTECTED]:~# ping 10.16.24.117 -M do -s 1472 -c 3
PING 10.16.24.117 (10.16.24.117) 1472(1500) bytes of data.

From 172.29.128.1 icmp_seq=1 Frag needed and DF set (mtu = 1444)

ping: local error: Message too long, mtu=1444
ping: local error: Message too long, mtu=1444

Running a 'ping 172.18.1.13 -M do -s 1472 -c 3' from a
172.16.0.0 host I got this result:
PING 172.18.1.13 (172.18.1.13) 1472(1500) bytes of data.

From 172.16.1.1 icmp_seq=1 Frag needed and DF set (mtu = 1428)
From 172.16.1.247 icmp_seq=2 Frag needed and DF set (mtu = 1428)
From 172.16.1.247 icmp_seq=2 Frag needed and DF set (mtu = 1428)

Running 'ping 10.16.24.117 -M do -s 1472 -c 3' from a
172.16.0.0 host I get this result:
PING 10.16.24.117 (10.16.24.117) 1472(1500) bytes of data.

From 172.16.1.1 icmp_seq=1 Frag needed and DF set (mtu = 1428)
From 172.16.1.247 icmp_seq=2 Frag needed and DF set (mtu = 1428)
From 172.16.1.247 icmp_seq=2 Frag needed and DF set (mtu = 1428)

Pleiadi is also running another tunnel with an old linux
2.4.28/KLIPS FreeS/WAN 2.05 an the MTU is 1444. May anyone
explain me why ipsec tunnels established with linux 2.6.16
(linux 2.6<->linux2.6) have an MTU equal to 1428? And why
tunnels established with between linux 2.6.16 and other
stack (checkpoint & KLIPS from FreeS/WAN 2.05 for example)
have an MTU equal to 1444?

TIA


-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html