I have the following problem:
router A has two interfaces eth0 and eth1.
router B has two interfaces eth0 and eth1.
The networks on A:eth1 and B:eth1 are connected over an ipsec-tunnel.
the mtu on A:eth1 is 1400 (all others are 1500).
both run 220.127.116.11
If I now ping a host HA on A:eth1 from host HB on B:eth1 with packet size
greater 1400 the ping fails.
tcpdump on A:eth0 shows
an esp-tunnel-packet from B comes in
icmp echo-request packet from HB to HA comes in
(the decrypted esp-packet)
an unecrypted icmp fragmentation-needed packet to HB from A (ip of eth1) sent
It seems to me that this fragementation-needed packet generated by B is not
handled by ipsec, is sent out unencrypted instead and this is the reason it
does not reach HB.
I should not see the unecrypted packet going out at all? Because if I ping
A:eth1 from HB then I don't see the unencrypted echo-reply packet (which has
the same source-address as the fragmentation needed) but only the outgoing
esp-packet (and the echo-reply reaches HB, by the way).
Anstalt des öffentlichen Rechts