TCPV4 inside an IPSEC tunnel doesn't react to PMTU Discovery on first connection attempt. After that connection hangs. Subsequent TCP connections to the same peer however use the correct MTU. ICMP Fragmentation Needed messages are also fall into the IPSEC tunnel.
As far as I can tell the problem appeared in 2.6.15-rc7 and still exists in 2.6.16-rc3. Here are the details: Changeset "[IPSEC]: Perform SA switchover immediately" http://www.kernel.org/hg/linux-2.6/?cs=c605c11ecb89 changed xfrm_dst_check() to return always NULL. When we get ICMP Fragmentation Needed message in response to the first TCP packet tcp_v4_err() checks its dst->obsolete flag and then calls dst->ops->check(). This check() function will be xfrm_dst_check() in case of IPSEC tunnel. Returning NULL xfrm_dst_check() prevents tcp_v4_err() from calling tcp_simple_restransmit(). Strange thing is that TCP doesn't try to restransmit packet. Perhaps EMSGSIZE return status from xfrm4_output is the reason but I'm not sure. Below is the patch which reverts xfrm_dst_check() back. Signed-off-by: Ilia Sotnikov <[EMAIL PROTECTED]> -- Ilia Sotnikov --- linux-2.6.15.4.orig/net/xfrm/xfrm_policy.c 2006-02-15 21:37:33.000000000 +0200 +++ linux-2.6.15.4/net/xfrm/xfrm_policy.c 2006-02-15 21:38:03.000000000 +0200 @@ -1044,10 +1044,9 @@ static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie) { - /* If it is marked obsolete, which is how we even get here, - * then we have purged it from the policy bundle list and we - * did that for a good reason. - */ + if (!stale_bundle(dst)) + return dst; + return NULL; } - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
