[Swan] ipsec packet fragmentation

Paul Wouters paul at nohats.ca
Fri Mar 24 03:25:21 UTC 2017


On Tue, 21 Mar 2017, Xinwei Hong wrote:

> We noticed that the packets are fragmented around 332bytes (raw data about 244B). This value is much smaller
> than what we expected and it affects performance. Is this configurable? I noticed we have a ike-frag option,
> but that sounds like only apply to IKE, not to IPSEC esp packets. The sender sends packet with size around
> 1000B.

You can set mtu= which causes a route to be added with the specified
mtu to work around this.

But IPsec is not fragmenting at 332 bytes. In fact, isn't that smaller
then the minimum allowed MTU size? It seems you have another non-IPsec
problem on your network that needs addressing.

Paul


More information about the Swan mailing list