Jan 23

VPN: where is my fragmentation needed ICMP message?

Hints and Tips, VPN -
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 3.67 out of 5)
Loading ... Loading ...
Add comments

If there is a link with a smaller MTU somewhere between the VPN gateways, the router connected to the link will send ICMP fragmentation needed message (type 3, code 4) as a response to ESP packets that have DF bit set and that are bigger than the MTU.

However, only the MTU information is stored on the firewall at that time but no ICMP error message is sent to the endpoint of the original connection.

When the host in the internal network sends the following packet, that’s when the firewall handling the connection will reply with the ICMP error message.

written by RoarinPenguin - 3,881 views \\ tags: , , ,

One Response to “VPN: where is my fragmentation needed ICMP message?”

  1. pekkar Says:
    January 27th, 2009 at 10:54 am

    This is because it may be and almost always is impossible to figure out the original sending host from the ICMP error received for the ESP packet. Instead, the PMTU information is saved and new packet is waited for from the internal network. The ICMP error is then sent for that packet.

Leave a Reply

You must be logged in to post a comment.