MTU issue when using GRE over tinc

[Guus Sliepen]

On Tue, Dec 10, 2013 at 10:08:37AM +0100, Loic Dachary wrote:

> In a setup where OpenVSwitch is used with GRE tunels on top of an interface provided by tinc, I'm experiencing MTU problems and I'm not sure how to fix them. The manifestation of the problem is, from the user point of view, communication hang. And using "tcpdump -i there" displays lines such as :
> 
>     18:54:00.345666 IP 10.111.1.1 > 10.111.1.2: GREv0, key=0x5, length 1438: IP ceph.com.https > 10.0.3.15.57429: Flags [P.], seq 4917:6293, ack 658, win 71, length 1376
>     18:54:00.345746 IP 10.111.1.2 > 10.111.1.1: ICMP 10.111.1.2 unreachable - need to frag (mtu 1445), length 556
> 
> My actual use case very much ressembles what is described here http://blog.csdn.net/lynn_kong/article/details/9140659
> 
> and I tried to change the MTU on hte tinc provided interfaces on the machines that have 10.111.1.2 and 10.111.1.1 bound to them:
> 
>     ip link set mtu 1546 dev there

The problem is that the GRE tunnel sets the DF bit in its headers, meaning that
tinc should not fragment the GRE packets, but instead reply with an ICMP error
message when the packets are too large. This is exactly what tinc does. The
problem is that GRE doesn't handle those ICMP packets at all. To make sure that
the packets sent through the GRE tunnel do not exceed the maximum packet size,
you should lower the MTU of the GRE interface, for example like so:

ip link set mtu 1400 dev gre0

Raising the MTU of the VPN interface does not help in any way, and lowering the
MTU of the VPN interface will make the problem worse.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20131210/d37cf507/attachment.sig>