So, what would be a suitable MTU value for an ESP encrypted packet using Blowfish?
Thanks ----- Original Message ----- From: "Helge Oldach" <[EMAIL PROTECTED]> To: "Eric Masson" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, October 29, 2003 9:04 AM Subject: Re: ipsec tunnels & packet length issues > Eric Masson: > >>>>>> "Michael" == Michael Sierchio <[EMAIL PROTECTED]> writes: > > > > Michael> You should allow for an IP header with options and the ESP > > Michael> header, which is smaller than 1450. For SKIP I use 1366 as the > > Michael> advertised MTU, and for IPsec usually 1436, unless I need to > > Michael> accomodate ESP and AH, in which case it's smaller. > > > >Ok, that's fine. > > > > Michael> It's a known feature of any sort of IP encapsulation. > > > >I understand. > > > >I'm no kernel hacker at all, I was just thinking about the ability for > >the tunnel endpoint to send back an icmp packet type 3 code 4 when the > >packet is too long to be encapsulated. > > Actually this is the case. Or better, it *should* be happening - I don't > know if you see the ICMPs or not. Note that this must be done on the > local tunnel endpoint, not the remote one. > > Helge > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
