XFRM / DF Flag / Fragmentation Needed

[Thomas DuBuisson]

I know this sounds like the same Black Hole topic you have heard before
but I couldn't find a case like mine online so please hear me out.

I am having a problem when I am tunneling packets (in this case
large scp packets) through an IPsec tunnel and I am getting ICMP
'Fragmentation Needed' after this point in time the application (cvs
update) stalls.  The setup is effectively A<--2 ipsec tunnels-->B<-->C
After A establishes an SSH connection with C and tries to transfer the
patches the size of a packet from A destined for C is quickly reaches 1500
while the MTU
to A is ~1400.  At this point A sends an ICMP 'Fragmentation Needed'
packet to its self (see xfrm_output.c xfrm4_tunnel_check_size(...)).  It
seems this packet is never acted on - it just disappears into the
loopback interface.  The proper mtu trial/error process never takes
place.

Hasily formed theory:
Could xfrm, seeing an IP(actually, esp) packet, expects the app to handle
it(returning EMSGSIZE) while SSH, using TCP, expects the kernel to handle
it?

If not, can something throw me a suggestion or a link?

Please CC me as I am not on this list.

Thanks for any replies, if you want any more information feel free to ask.
Tom
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/