* Todd T. Fries (t...@fries.net) wrote: > Must is there, granted. For IPSec tunnels encapsulating IPv6 inside IPv4, > there are tricky problems that were looked at during n2k9 but not solved > that prevent the proper icmp6 too big message from being sent with the > proper source address to match the VPN config so it might make it back > to the proper system. Without this, MTU is not reduced, and fail is the > result if using tunnel mode with IPSec encapsulating IPv6, only if this > is traffic from a client behind a VPN gateway. For the gateways themselves, > they generate the properly sized packets. >
Hi Todd, Host1--(net1)--GW1==(tunnel)==GW2--(net2)--Host2 If Host1 sends an IPv6 packet to Host2 with an MTU too big for the GW1-GW2 tunnel then the GW1 should send an ICMP packet too big to Host1. I assume that the ICMP packet should use GW1 and Host1 unicast addresses on net1 as source and destination, i.e. the MTU would then be related to traffic going through the gateway... But this would then not handle GW1 having multiple tunnels with different MTU.. Should the source address of the ICMPv6 message then be the GW1 tunnel internal endpoint IP? Does it matter if its an IPsec or a gif tunnel, as used by Sixxs (I guess not..)? thanks, /Joakim Ps.. and I also have problem reaching the sitic.se site using IPv6 (Sixxs tunnel)..
