On Tue, Jul 23, 2024 at 09:04:45AM +0100, Tom Smyth wrote: > Do you ever have issues with the IP fragments being broken across > broken NAT implementations... or are the IP fragmensts encapsulated in > the IPSec Packets ? > i.e. > gif fragments and IPsec wraps the gif packet + ip fragment in 2 > encapsulated ipsec packets ?
IPsec has PMTU support so as long as you get ICMP errors then it will adjust so that you end up with 2 packets. If it is badly broken you can adjust the MTU of the route the gif tunnel uses (make it a host route). I think that should also work with wg(4) but I do not use wg(4). > On Tue, 23 Jul 2024 at 08:54, Claudio Jeker <cje...@diehard.n-r-g.com> wrote: > > > > On Tue, Jul 23, 2024 at 08:51:19AM +0100, Tom Smyth wrote: > > > Folks, > > > > > > As an ISP we often have to manage wans for customers where we don't > > > have access to customers firewalls, and the customers expect full > > > sized frames / packets across the wan, > > > the issue is when we used 3rd party networks with constrained MTUs, > > > while we can adjust TCP MSS if we control the network devices putting > > > packets across the VPN, this is not always possible, > > > > > > IP fragmentation (sometimes) works but it breaks load balancing > > > (hashes of IP fragments do not match the hashes for original packet > > > being sent. but sometimes is not good enough. > > > > > > Possible solutions which we have seen in in other vendors > > > MLPPP on L2TP / PPPoE with MRRU (Maximum Received Reconstructed Unit) > > > which allowed for packet splitting outbound and reconstruction on > > > inbound > > > > > > OpenVPN have UDP fragment option (which works by encapsulating a > > > packet across 2 equal sided packets once the encapsulated packet would > > > be greater than 1/2 the size of the Max UDP fragment, ( packets would > > > have the same size, same src & destination port and src and > > > destination ip (so packet ordering / LACP load balancing path would be > > > consistent or at least more consistent for those packets > > > > > > OpenVPN & tap interface performance is not brilliant , so I'm hopping > > > there is a kernel driver device that would allow > > > > > > I was wondering if anyone else ran into this issue and resolved it > > > with an existing device driver in OpenBSD... > > > > > > > I run gif tunnels over ipsec with MTU 1500 and the stack just does the > > fragmentation. Not sure if the performance of that is much better than > > OpenVPN. > > > > -- > > :wq Claudio > > > > -- > Kindest regards, > Tom Smyth. > -- :wq Claudio
