Bug 174857 - MTU and MSS not set correctly for GRE inside IPSec case
MTU and MSS not set correctly for GRE inside IPSec case
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Miller
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-12-02 16:35 EST by Aleksandar Milivojevic
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-12-09 16:12:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aleksandar Milivojevic 2005-12-02 16:35:42 EST
Description of problem:
It looks that MTU and MSS values are not set correctly by kernel when GRE tunnel
is encapsulated into IPSec tunnel.  I've experienced classic symptoms of this. 
The small packets would go through the tunnel, but large packets would be simply

I've used workaround of manually setting MTU value for GRE tunnel to 1362.  Then
for all packets going over GRE tunnel, I've placed some firewall rules to set
MSS to 1024 in TCP SYN packets (-p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--set-mss 1024).  After I did both (and only after doing both), TCP connections
between two sides worked correctly.  The values I used were completely guessed
(try and error).

I haven't had problems when testing on local network (over Ethernet).  Only when
remote end was "somewhere remote" (usually on ADSL or cable).

Path MTU discovery problem?  The intermediate routers wouldn't see don't
fragment bit, since the thing is encrypted (plus it is double tunneled).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure GRE tunnel
2. Configure IPSec so that GRE tunnel goes through IPSec tunnel
Actual results:

Expected results:

Additional info:
Comment 1 David Miller 2005-12-09 16:12:50 EST
IPSEC path mtu discovery is known to have severe limitations when
tunneling at the moment.  Setting the MTU of the device by hand is
one workaround.

Due to the large, invasive, certainly kABI breaking, and currently
unimplemented changes necessary to fix this problem, I do not see
us fixing this for any RHEL4 update.

Note You need to log in before you can comment on or make changes to this bug.