Description of problem: It looks that MTU and MSS values are not set correctly by kernel when GRE tunnel is encapsulated into IPSec tunnel. I've experienced classic symptoms of this. The small packets would go through the tunnel, but large packets would be simply dropped. I've used workaround of manually setting MTU value for GRE tunnel to 1362. Then for all packets going over GRE tunnel, I've placed some firewall rules to set MSS to 1024 in TCP SYN packets (-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1024). After I did both (and only after doing both), TCP connections between two sides worked correctly. The values I used were completely guessed (try and error). I haven't had problems when testing on local network (over Ethernet). Only when remote end was "somewhere remote" (usually on ADSL or cable). Path MTU discovery problem? The intermediate routers wouldn't see don't fragment bit, since the thing is encrypted (plus it is double tunneled). Version-Release number of selected component (if applicable): kernel-2.6.9-22.EL How reproducible: Always Steps to Reproduce: 1. Configure GRE tunnel 2. Configure IPSec so that GRE tunnel goes through IPSec tunnel Actual results: Expected results: Additional info:
IPSEC path mtu discovery is known to have severe limitations when tunneling at the moment. Setting the MTU of the device by hand is one workaround. Due to the large, invasive, certainly kABI breaking, and currently unimplemented changes necessary to fix this problem, I do not see us fixing this for any RHEL4 update.