Marco Berizzi wrote:
Herbert Xu wrote:
Marco Berizzi <[EMAIL PROTECTED]> wrote:
>
> Thanks a lot for the reply Herbert.
> Is there a way to tell netkey to frag packets like klips
> ignoring the DF bit?
Thinking about this again, there is actually a bug in our various
tunneling
implementations when the user chooses to disable PMTU discovery. We
should
be turning local_df on in that case but we're not so forwarded packets
with
DF enabled still get bounced even if they fit in the nominal MTU.
Could this bug trigger the behaviour described here
http://marc.theaimsgroup.com/?l=linux-netdev&m=114373067423528&w=2 ?
Herbert,
I think I have found the problem.
Problem description: sapgui client (172.16.0.222) cannot
connect from 172.16.0.0/23 network to sap server (10.16.24.117)
on customer network 10.0.0.0/8; tcp socket is established
but there is no packet flow or extremely slow.
However sapgui clients can connect to the customer
network from 172.18.1.0/24 network.
This problem has been appeared after mimosa upgrade
from 2.4.29/KLIPS to 2.6.16.1/NETKEY
Running 'tcpdump -p -n -v ip net 10.16.24.117' on mimosa
resolves the problem: sapgui clients can connect to sap
servers while tcpdump is running on mimosa.
Is this a bug?
customer private network 10.0.0.0/8
|
|
+ipsec customer gateway (nokia/checkpoint)
|==MTU=1444
|
|
|---ipsec tunnel 10.0.0.0/8<->172.29.128.0/28 (3DES/MD5)
|
|
| +---ipsec gateway (pleiadi)---priv net (172.16.0.0/23)
| /
| /---ipsec tunnel 10.0.0.0/8<->172.16.0.0/23(AES/MD5/IPCOMP)
| / ipsec tunnel 172.18.1.0/24<->172.16.0.0/23(AES/MD5/IPCOMP)
|/=====MTU=1428
+upgraded ipsec gateway (mimosa) from klips to 2.6.16
|
|
|
priv network (172.18.1.0/24)
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
