<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I’ve setup a ikev2 VPN between a phone running android 4.4.2 with the StrongSwan 1.4.0 client and an OpenWRT server running Attitude Adjustment.<o:p></o:p></p><p class=MsoNormal>However, I’m having trouble with traffic packets not transferring correctly. I believe the issue is that the encapsulated packets add to the original payload and consequently exceed the MTU. So only packets sent with a smaller length are successfully received.<o:p></o:p></p><p class=MsoNormal>I’ve added the following line to the StrongSwan server’s iptables:<o:p></o:p></p><p class=MsoNormal style='text-indent:.5in'>iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu<o:p></o:p></p><p class=MsoNormal>This appears to help some but packets sent from external sources to my phone still exceed the MTU and the source either ignores or doesn’t receive the corresponding ICMP “unreachable - need to frag” response.<o:p></o:p></p><p class=MsoNormal>I’ve enabled logging on the firewall and nothing is apparently being filtered by my server’s firewall (although I’m not very expert with this firewall).<o:p></o:p></p><p class=MsoNormal>The following is an excerpt from tcpdump showing the incoming packets and the outgoing ICMP.<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.781209 IP My.IP.43953 > 54.243.165.228.80: Flags [.], ack 440, win 245, options [nop,nop,TS val 1402179 ecr 934076867], length 0<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.781256 IP 93.184.216.146.443 > My.IP.49187: Flags [.], seq 1461:2921, ack 399, win 245, length 1460<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.781362 IP My.IP > 93.184.216.146: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.781387 IP 93.184.216.146.443 > My.IP.49187: Flags [P.], seq 2921:3996, ack 399, win 245, length 1075<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.784264 IP My.IP.49187 > 93.184.216.146.443: Flags [.], ack 1, win 229, options [nop,nop,sack 1 {2921:3996}], length 0<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.786403 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 1:1449, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.786539 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.787454 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 1449:2897, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.787572 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.787601 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 2897:4345, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.787664 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.787690 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 4345:5793, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.787752 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.787778 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 5793:7241, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.787840 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.787865 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 7241:8689, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.787928 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.788403 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 8689:10137, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.788520 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.788548 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 10137:11585, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.788609 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.789050 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 11585:13033, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.789156 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.789184 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 13033:14481, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.789247 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to frag (mtu 1422), length 556<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.807630 IP 31.13.65.49.443 > My.IP.38113: Flags [.], seq 9080:10450, ack 1497, win 242, options [nop,nop,TS val 672677314 ecr 1402172], length 1370<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.808085 IP 31.13.65.49.443 > My.IP.38113: Flags [P.], seq 10450:10754, ack 1497, win 242, options [nop,nop,TS val 672677314 ecr 1402172], length 304<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>01:49:10.808311 IP 31.13.65.49.443 > My.IP.38113: Flags [.], seq 10754:12124, ack 1497, win 242, options [nop,nop,TS val 672677314 ecr 1402172], length 1370<o:p></o:p></p><p class=MsoNormal>As seen, the incoming packets are repeated as if the ICMP is not received. The result is very inferior network responsiveness from a user perspective. Any ideas on how to overcome this?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Jay<o:p></o:p></p></div></body></html>