[Swan] IPSec end-point sends ICMP "unreachable; frag needed" messages while it's not routing
Martin T
m4rtntns at gmail.com
Mon Feb 6 22:43:14 UTC 2017
Hi,
I have a simple site-to-site IPSec VPN where "server-A" is connected
to a "fw-A" over an IPSec tunnel. In front of "server-A" there is a
switch with has a 1500 byte MTU interface facing the server. Sometimes
clients behind "fw-A" send large packets to "server-A" and server
replies with ICMP "unreachable; frag needed" messages:
11:19:22.309296 IP 10.10.10.135 > 192.168.100.4: ICMP 10.10.10.135
unreachable - need to frag (mtu 1438), length 36
10.10.10.135 is the IP address on "server-A" eth0 interface and
192.168.100.4 is the IP address of the end-client.
Am I correct that ICMP "unreachable; frag needed" messages are sent
only in case (server acting as) a router wants to route a package to
another interface, but this interface has a smaller MTU than the
package and router is not allowed to fragment this package because DF
flag is set? If yes, then "server-A" does not do any routing. It's
"left side" configuration is following:
left=10.10.10.135
leftsourceip=10.10.10.135
leftsubnet=10.10.10.135/32
leftnexthop=%defaultroute
Could anybody explain this behavior?
thanks,
Martin
More information about the Swan
mailing list