[c-nsp] IPSEC + TFTP don't work

Victor Sudakov vas at mpeks.tomsk.su
Thu Apr 5 22:45:15 EDT 2012


Robert E. Seastrom wrote:
> 
> > I feel that the issue may be in IP fragmentation of some sort which the
> > dumb PXE TCP/IP stack cannot handle, but a google search did not help.
> > At least neither an Intel NIC, nor a Realtek NIC nor a GPXE emulation
> > work.
> 
> I'm pretty sure you're on the right track.
> 
> Try setting the MTU on the ethernet on the TFTP server to 1400 or so
> rather than 1500.  That oughta fix the problem, assuming that the tftp
> server software is sanely written.  If it were TCP (tftpboot is of
> course udp) that would DTRT.

Actually I have tried something like 

route add -net $protected_net -mtu 1300 $ipsec_gateway

on the TFTP server and it did not help. I think the TFTP server just
sends its packets as requested by the client and does not care if the
MTU is small.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru


More information about the cisco-nsp mailing list