Forcing IP fragmentation and reassembly for some traffic thru a VPN tunnel

Question

Is there a way to force IP packet fragmentation before they go into tun0 and then force reassemble them on the other side of tun device?

I have some IPSec traffic that I can not control, and it wants 1500 MTU and just gets dropped at the tun device.

I guess it might be possible to encapsulate the traffic into TCP stream, then reassemble the stream back to packets - but it is definitely not how it should work due to various reasons. So I am wondering if there is a way to force fragmentation and reassembly for at least some matched packets at OS level in linux?

When packet reaches interface with lower MTU, it should be fragmented by default unless packet has 'no fragment' flag. — user1700494, Jan 22 '16 at 11:57
to clarify the problem: IPSec packets all come with DF set; MTU for tun0 is 1350; MTU for originating interface eth0 is 1500 — grandrew, Jan 22 '16 at 12:49
You may want to take a look at this, http://lists.netfilter.org/pipermail/netfilter/2004-July/054802.html — MariusMatutiae, Jan 22 '16 at 14:17
`tun0` is a virtual network interface. Is there any reason you aren't simply changing the MTU? — Parthian Shot, Jan 22 '16 at 14:40

MariusMatutiae · Answer 1 · 2016-01-22T14:23:10.263

2

Have you tried

 ip link set mtu xxx dev tun0

where xxx is whatever you deem appropriate?

EDIT:

you may want to take a look at this: this guy has a problem similar to yours,

I have same problem some time later. My uplink not pass tcp-packets whith= =20 length more then 1496 bytes. I solve this by cleaning DF-bit in all outgo= ing =20 tcp-packets. Linux by default not allow clear Df-bit and I'm wrote small=20 kernel modules and patch for iptables for clearning DF-bit.

Use: for clear DF on outgoing packets:

iptables -t mangle -A POSTROUTING -j DF --clear

for clean DF on incoming packets:

iptables -t mangle -A PREROUTING -j DF --clear

And also other iptables options is allowning.

The refs to his code are dead, but you can try writing him, avl@strace.net.

edited Jan 22 '16 at 14:23

answered Jan 22 '16 at 11:52

MariusMatutiae

184
9

all packets come with DF set. MTU is actually 1350 on tun0, but all the packets get dropped due to DF – grandrew Jan 22 '16 at 12:48
thank you for the links! Regarding the DF clear: as far as I understand, linux will not reassemble packets and they have to travel all the way to receiver through the wild net, and then hopefully be reassembled by actual receiver which I do not control too. AFAIK, fragmented packets are likely to be dropped in the wild, so the second part to force immediate reassembly is still open. Actually I am wondering why is this task so non-popular that I cannot google out the solution. – grandrew Jan 22 '16 at 21:23
What is the option for this in iptables6? I need to fragment a IPv6 packet in order to see if our product handles IP fragments correctly – Ferrybig Jun 16 '21 at 11:53
1

I get `iptables v1.6.1: unknown option "--clear"`. Why doesn't it work for me? – Aenfa Aug 09 '21 at 13:15
@Aenfa that is not part of default iptables; would require patching (and the link to the patch is dead) – Gavin S. Yancey Jan 18 '22 at 23:03

Forcing IP fragmentation and reassembly for some traffic thru a VPN tunnel

1 Answers1