Hi all,

I have a test program that sends UDP packets over an IPSec tunnel. Both outer and inner IP are IPv4. This is on an Ubuntu 10.04.

When the packet size is > MTU, I notice that the fragmentation occurs at the outer IP. However, in order to test a particular scenario, I wish to generate encrypted packets where the inner IP is fragmented.

Are there any options through which I can configure inner IP fragmentation instead of outer?

Thanks!

The path-mtu-discovery can adjust tunnel MTU and avoid outer IP fragments.

That's correct, but my goal is to generate inner IP fragments in order to test my inner IP reassembly algorithm. So I am wondering if there is any option that can be set to do this instead of fragment at the outer IP.

1)Test IPSec MTU by ping manually.
2)Configure IPSec interface MTU.

You can use extended ping to see the size of packet that you can send over the tunnel with DF bit set do not fragment.

if you have two windows machines , one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.

ping from 10.2.2.10 using :-

ping 10.3.3.10
reply success

ping 10.3.3.10 -l 1500 -f { where -l 1500 sets the MTU to 1500 and -f says do not fragment }
packet needs to be fragmentated but df set
packet needs to be fragmentated but df set

ping 10.3.3.10 -l 1300 -f
packets needs fragmentation but df set

ping 10.3.3.10 -l 1270 -f
reply success
reply success