Linux – Forcing IP fragmentation and reassembly for some traffic thru a VPN tunnel

ip-fragmentationlinuxmtuvpn

Is there a way to force IP packet fragmentation before they go into tun0 and then force reassemble them on the other side of tun device?

I have some IPSec traffic that I can not control, and it wants 1500 MTU and just gets dropped at the tun device.

I guess it might be possible to encapsulate the traffic into TCP stream, then reassemble the stream back to packets – but it is definitely not how it should work due to various reasons. So I am wondering if there is a way to force fragmentation and reassembly for at least some matched packets at OS level in linux?

Best Answer

Have you tried 

 ip link set mtu xxx dev tun0

where xxx is whatever you deem appropriate?

EDIT:

you may want to take a look at this: this guy has a problem similar to yours,

I have same problem some time later. My uplink not pass tcp-packets whith= =20 length more then 1496 bytes. I solve this by cleaning DF-bit in all outgo= ing =20 tcp-packets. Linux by default not allow clear Df-bit and I'm wrote small=20 kernel modules and patch for iptables for clearning DF-bit.

Use: for clear DF on outgoing packets:

iptables -t mangle -A POSTROUTING -j DF --clear

for clean DF on incoming packets:

iptables -t mangle -A PREROUTING -j DF --clear

And also other iptables options is allowning.

The refs to his code are dead, but you can try writing him, avl@strace.net.

Related Topic