* Masquerade and ICMP frag needed
@ 2005-05-24 14:12 |m|
0 siblings, 0 replies; only message in thread
From: |m| @ 2005-05-24 14:12 UTC (permalink / raw)
To: netfilter
Problem: My box does not forward ICMP Fragmentation needed packet to
its masqueraded clients.
Setup:
I have a box with 3 nics equipped with kernel 2.6.11 and iptables
1.2.11. This box has two gateways, and the net workflow is as follows:
eth0 <---> clients
eth1 <---> standard internet traffic
eth2 <---> VPN
Details:
Traffic on eth2 is masqueraded (required). The problem is that the
packets (MTU 1500) must be encapsulated in IPSEC packets at the next
hop where the MTU is the same, therefore the VPN server sends back
ICMP packet telling that need to frag. ICMP packets are received by my
box, but not forwarded to clients that continue to send 1500 bytes
packets. Therefore the VPN site does not open.
Is that a normal behavior? Should I add anything to iptables rules in
order to make it forwarding ICMP Frag needed packets?
Thank you very much!
Iptables on eth2:
Input,Output,Forward
- Policy ACCEPT (nothing else)
Nat
- POSTROUTING anywhere anywhere -j MASQUERADE
Current Workaround:
- ifconfig eth2 mtu 1400 (I don't like it! :)
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2005-05-24 14:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-24 14:12 Masquerade and ICMP frag needed |m|
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox