Penned by Joakim Aronius on 20091215 8:47.29, we have: | * Todd T. Fries (t...@fries.net) wrote: | > Must is there, granted. For IPSec tunnels encapsulating IPv6 inside IPv4, | > there are tricky problems that were looked at during n2k9 but not solved | > that prevent the proper icmp6 too big message from being sent with the | > proper source address to match the VPN config so it might make it back | > to the proper system. Without this, MTU is not reduced, and fail is the | > result if using tunnel mode with IPSec encapsulating IPv6, only if this | > is traffic from a client behind a VPN gateway. For the gateways themselves, | > they generate the properly sized packets. | > | | Hi Todd, | | Host1--(net1)--GW1==(tunnel)==GW2--(net2)--Host2 | | If Host1 sends an IPv6 packet to Host2 with an MTU too big for the GW1-GW2 tunnel then the GW1 should send an ICMP packet too big to Host1. I assume that the ICMP packet should use GW1 and Host1 unicast addresses on net1 as source and destination, i.e. the MTU would then be related to traffic going through the gateway... But this would then not handle GW1 having multiple tunnels with different MTU.. Should the source address of the ICMPv6 message then be the GW1 tunnel internal endpoint IP? | | Does it matter if its an IPsec or a gif tunnel, as used by Sixxs (I guess not..)? | | thanks, | /Joakim | Ps.. and I also have problem reaching the sitic.se site using IPv6 (Sixxs tunnel)..
gif(4) tunnels are routed not magically injected like IPSec, thus I have not had path MTU issues with them like I have with IPSec and tunnel mode. Note that when PMTU works properly, entries show up in the routing tables of the systems that are the recipients of the TOO BIG messages, so multiple tunnels of different MTU should not matter as much as the PMTU messages getting through properly on each. -- Todd Fries .. t...@fries.net _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
