Re: [Openvpn-users] UDP fragmentation

[Mathias Sundman <mathias@xxxxxxxxxx>]

On Mon, 1 Nov 2004, Emmanuel Dreyfus wrote:

> Hi
>
> I'm considering working with OpenVPN, but I have a concern about a
> problem I encountered with IPsec VPN: many DSL routers are broken enough
> to block fragmented UDP packets.

I recognize this problem from the ipsec time, but never seen it with 
OpenVPN!

> With IPsec this problems pops up on ISAKMP phase 1 when using
> certificates and a lot of vendor ID. This makes an UDP packet big enough
> to be blocked. This is solved by handling fragmentation at the
> application layer. Sending packets of no more than 552 bytes works.
>
> Is that problem handled in OpenVPN?

Yes, you can either handle it by telling OpenVPN to set a lower MTU on the 
tun/tap interface.

Or the way I think most people handle it today, by using the --mssfix 
option to make OpenVPN cramp the MSS field in the TCP header of tunneled 
tcp sessions.

You also have the --fragment option which does exactly what you asked for, 
internal fragmentation at a packet size set by you.

Most common I think is to use both --mssfix and --fragment to let mssfix 
handle tcp sessions, and those packets not affected by mssfix is handled 
by fragment.

I've never had to go as low as 552 bytes though. I use 1400 for mssfix and 
fragment. What router is requiring this low value?

Or did you mean that you have a path to the vpn router not allowing 
packets larger than 552 bytes without fragmentation? What kind of 
equipment is using such low MTU?

--
_____________________________________________________________
Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users