1

Is there a way to force IP packet fragmentation before they go into tun0 and then force reassemble them on the other side of tun device?

I have some IPSec traffic that I can not control, and it wants 1500 MTU and just gets dropped at the tun device.

I guess it might be possible to encapsulate the traffic into TCP stream, then reassemble the stream back to packets - but it is definitely not how it should work due to various reasons. So I am wondering if there is a way to force fragmentation and reassembly for at least some matched packets at OS level in linux?

grandrew
  • 285

1 Answers1

3

Have you tried 

 ip link set mtu xxx dev tun0

where xxx is whatever you deem appropriate?

EDIT:

you may want to take a look at this: this guy has a problem similar to yours,

I have same problem some time later. My uplink not pass tcp-packets whith= =20 length more then 1496 bytes. I solve this by cleaning DF-bit in all outgo= ing =20 tcp-packets. Linux by default not allow clear Df-bit and I'm wrote small=20 kernel modules and patch for iptables for clearning DF-bit.

Use: for clear DF on outgoing packets:

iptables -t mangle -A POSTROUTING -j DF --clear

for clean DF on incoming packets:

iptables -t mangle -A PREROUTING -j DF --clear

And also other iptables options is allowning.

The refs to his code are dead, but you can try writing him, avl@strace.net.

MariusMatutiae
  • 194