From mboxrd@z Thu Jan 1 00:00:00 1970 From: "pupilla@libero.it" Subject: R: Re: mtu issue with ipsec tunnel and netfilter snat Date: Thu, 10 Jan 2013 17:46:57 +0100 (CET) Message-ID: <8364295.258481357836417891.JavaMail.defaultUser@defaultHost> Reply-To: "pupilla@libero.it" Mime-Version: 1.0 Content-Type: text/plain;charset="UTF-8" Content-Transfer-Encoding: 7bit Cc: To: Return-path: Received: from outrelay02.libero.it ([212.52.84.102]:33409 "EHLO outrelay02.libero.it" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751382Ab3AJQq7 (ORCPT ); Thu, 10 Jan 2013 11:46:59 -0500 Sender: netdev-owner@vger.kernel.org List-ID: jengelh@inai.de wrote: >On Wednesday 2013-01-09 10:01, pupilla@libero.it wrote: > >>As you can see there are incoming 1500 bytes packets (these are the >>decrypted ipsec packets) with DF bit set. These packets are never >>delivered to the final client 10.81.128.176 (the destination address >>is 172.16.128.1 which is the ip used for SNATing the original ip >>10.81.128.176). >> >>IMHO this is a mtu issue: 1500 bytes packets cannot be routed inside >>the ipsec tunnel. >> >>But why linux_gw_snat is not sending icmp need to frag packets to >>10.148.12.23? > >Perhaps because ICMP was blocked erroneously? well, I don't see the icmp packets because tcpdump 'see' only the incoming ipsec clear packets. Is there a way to see the outgoing clear ipsec packets with tcpdump?