[c-nsp] IPSEC + TFTP don't work
Victor Sudakov
vas at mpeks.tomsk.su
Thu Apr 5 22:45:15 EDT 2012
Robert E. Seastrom wrote:
>
> > I feel that the issue may be in IP fragmentation of some sort which the
> > dumb PXE TCP/IP stack cannot handle, but a google search did not help.
> > At least neither an Intel NIC, nor a Realtek NIC nor a GPXE emulation
> > work.
>
> I'm pretty sure you're on the right track.
>
> Try setting the MTU on the ethernet on the TFTP server to 1400 or so
> rather than 1500. That oughta fix the problem, assuming that the tftp
> server software is sanely written. If it were TCP (tftpboot is of
> course udp) that would DTRT.
Actually I have tried something like
route add -net $protected_net -mtu 1300 $ipsec_gateway
on the TFTP server and it did not help. I think the TFTP server just
sends its packets as requested by the client and does not care if the
MTU is small.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the cisco-nsp
mailing list