Red Hat Bugzilla – Bug 174857
MTU and MSS not set correctly for GRE inside IPSec case
Last modified: 2007-11-30 17:07:21 EST
Description of problem:
It looks that MTU and MSS values are not set correctly by kernel when GRE tunnel
is encapsulated into IPSec tunnel. I've experienced classic symptoms of this.
The small packets would go through the tunnel, but large packets would be simply
I've used workaround of manually setting MTU value for GRE tunnel to 1362. Then
for all packets going over GRE tunnel, I've placed some firewall rules to set
MSS to 1024 in TCP SYN packets (-p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--set-mss 1024). After I did both (and only after doing both), TCP connections
between two sides worked correctly. The values I used were completely guessed
(try and error).
I haven't had problems when testing on local network (over Ethernet). Only when
remote end was "somewhere remote" (usually on ADSL or cable).
Path MTU discovery problem? The intermediate routers wouldn't see don't
fragment bit, since the thing is encrypted (plus it is double tunneled).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure GRE tunnel
2. Configure IPSec so that GRE tunnel goes through IPSec tunnel
IPSEC path mtu discovery is known to have severe limitations when
tunneling at the moment. Setting the MTU of the device by hand is
Due to the large, invasive, certainly kABI breaking, and currently
unimplemented changes necessary to fix this problem, I do not see
us fixing this for any RHEL4 update.