<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px"><div id="yui_3_16_0_1_1425875474908_13927" dir="ltr"><span>sending again to include the list</span></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font size="2" face="Arial"> On Monday, March 9, 2015 12:18 AM, Mark M <mark076h@yahoo.com> wrote:<br> </font> </div> <br><br> <div class="y_msg_container"><div id="yiv6418747048"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"><div dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554"><span>Noel,</span></div><div dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554"><span><br clear="none"></span></div><div dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554"><span id="yiv6418747048yui_3_16_0_1_1425873452010_3757">The plugin does not seem to work. I put my plugin info in /etc/strongswan/strongswan.conf. Here is my setup;</span></div><div dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554"><span><br clear="none"></span></div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""># strongswan.conf - strongSwan configuration file</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style="">#</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""># Refer to the strongswan.conf(5) manpage for details</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style="">#</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""># Configuration changes should be made in the included files</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""><br clear="none" class="yiv6418747048" style=""></div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style="">charon {</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> load_modular = yes</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> plugins {</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> include strongswan.d/charon/*.conf</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> kernel-netlink {</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> mtu = 1300</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> mss = 1300</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> }</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> attr {</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> dns=192.168.1.1</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> }</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> }</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> filelog {</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> /var/log/strongswan.log {</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> append = no</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> default = 1</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> flush_line = yes</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> }</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""> }</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style="">}</div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""><br clear="none" class="yiv6418747048" style=""></div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style=""><br clear="none" class="yiv6418747048" style=""></div><div dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554"></div><div class="yiv6418747048" dir="ltr" id="yiv6418747048yui_3_16_0_1_1425873452010_3554" style="">include strongswan.d/*.conf</div><div class="yiv6418747048" id="yiv6418747048yui_3_16_0_1_1425873452010_4323" style=""><br clear="none" class="yiv6418747048" style=""></div> <div class="yiv6418747048qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv6418747048yqt4932495924" id="yiv6418747048yqt37486"><div class="yiv6418747048yahoo_quoted" style="display: block;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr"> <font size="2" face="Arial"> On Sunday, March 8, 2015 11:07 PM, Noel Kuntze <noel@familie-kuntze.de> wrote:<br clear="none"> </font> </div> <br clear="none"><br clear="none"> <div class="yiv6418747048y_msg_container"><br clear="none">-----BEGIN PGP SIGNED MESSAGE-----<br clear="none">Hash: SHA256<br clear="none"><br clear="none">Hello Mark,<br clear="none"><br clear="none">There are two things you can do:<br clear="none">*Set the MTU strongSwan sets on the installed routes to one that includes the overhead of<br clear="none"> the UDP encapsulation and esp header/trailer (since version 5.2.2)<br clear="none">*Use iptables to adjust the announced MSS (Maximum Segment Size) of TCP connections to include<br clear="none"> the overhead of UDP encapsulation and the esp header/trailer (that can be done with strongswan, too)<br clear="none"><br clear="none">Personally, I do both:<br clear="none">Note that I am lazy and just set MSS and MTU to 1300.<br clear="none"><br clear="none"># Generated by iptables-save v1.4.21 on Mon Mar 9 02:38:12 2015<br clear="none">*mangle<br clear="none">:PREROUTING ACCEPT [0:0]<br clear="none">:INPUT ACCEPT [0:0]<br clear="none">:FORWARD ACCEPT [0:0]<br clear="none">:OUTPUT ACCEPT [0:0]<br clear="none">:POSTROUTING ACCEPT [0:0]<br clear="none">- -A FORWARD -s 172.16.20.0/23 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300<br clear="none">COMMIT<br clear="none"># Completed on Mon Mar 9 02:38:12 2015<br clear="none"><br clear="none">(That goes into the charon or charon-systemd section in strongswan.conf. Depends on what charon binary you use.)<br clear="none"><br clear="none"> plugins {<br clear="none"> kernel-netlink {<br clear="none"> mtu = 1300<br clear="none"> mss = 1300<br clear="none"> }<br clear="none"> }<br clear="none"><br clear="none"><br clear="none">Mit freundlichen Grüßen/Kind Regards,<br clear="none">Noel Kuntze<br clear="none"><br clear="none">GPG Key ID: 0x63EC6658<br clear="none">Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br clear="none"><div class="yiv6418747048yqt9005903462" id="yiv6418747048yqtfd35545"><br clear="none">Am 09.03.2015 um 02:32 schrieb Mark M:<br clear="none">> I have a strongSwan server up and running behind my home Verizon FiOS router and have my phone with the android client using a virtual IP connecting to it and sending all traffic to the server and having the server send the traffic back out my internet connection. The setup looks like this - android client > Verizon router forwarded to strongSwan server >: strongSwan server sends requests out to the internet > sends back to android client over tunnel.<br clear="none">><br clear="none">> Everything works great except that a lot of websites do not load or start to load and then timeout. This has something to do with IP fragmentation not working. In Wireshark, I see the strongSwan server sending back ICMP destination unreachable (Fragmentation needed) back to the servers that are timing out. I was running a strongSwan server a few years back and had the same problem. The solution was to change the MTU on my Verizon router to 1400 and it fixed most of the fragmentation problems, but some sites still had this issue.<br clear="none">><br clear="none">> I still think something is broken with this and can be fixed without setting the MTU. I think path discovery or something like that is broken somewhere, possibly with the strongSwan server.<br clear="none">><br clear="none">> Does anyone know how to fix this issue?<br clear="none">><br clear="none">> Thanks,<br clear="none">><br clear="none">> Mark-</div><br clear="none">><br clear="none">><br clear="none">><br clear="none">> _______________________________________________<br clear="none">> Users mailing list<br clear="none">> <a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br clear="none">> <a rel="nofollow" shape="rect" target="_blank" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br clear="none"><br clear="none">-----BEGIN PGP SIGNATURE-----<br clear="none">Version: GnuPG v2<br clear="none"><br clear="none">iQIcBAEBCAAGBQJU/Q50AAoJEDg5KY9j7GZYi4IP/33llLRWR911StkCxsw+t0mJ<br clear="none">XrmtuHA+1Lly42smiyYkX4l0EER5BGa3MD7GjlfE1GYGvgwZP5ZOzRYDFga/a3Dp<br clear="none">tddlzX6LNSrNRSxCantLVvnk7yRZUjF+sWB96T/b5JfTADF1hYAN5y30lcmBZCOf<br clear="none">oU65WmBU1gvUwo02df5aX084fmkuMI6dKF+Uv6HdZ49AglfRRR7+aTnW042cu/V9<br clear="none">Ozix58jc9O/mXNsLNJx13PDxYjzyPzmg9Bs8O/G5yL4hW5l9d27rBWYV5pVI4Ql4<br clear="none">0PI6Dh758SdTqVfo73FrAokDFhrd285VWHQRD0Hbttf0nBM3vIpXvsqE616kgmys<br clear="none">yYFdn3FhH0ydQ+ZL72KcJYy/mBwfKxIbRzPNaJ1XrCoxCf+eeItZrIYINKOmXZRu<br clear="none">WWjHauc3DaHZERELfR8oqkTOI+JQe3HQ1ABTqRjoVBCBGauhYgCqO1vwNw6D1sQv<br clear="none">bFO75sdycat7DP7+eyHvukFkwRMBjmql4ldZSlF/Moo6lWib3FhPZQOkrfbQBUih<br clear="none">5xp5X4VHIhs7VPno3sA71bnu3/idjgGKTzRtTa+HAo+noo5YJjxfRcFyD/gI20KA<br clear="none">9AVbksM59cEYDio5Gx3fZJqDdh52orKA67GSHYKU75/c/vP/4NFu5grVDmVYL/Gl<br clear="none">xOwN+4t6T5SOvyoGX91x<br clear="none">=TXsv<br clear="none">-----END PGP SIGNATURE-----<br clear="none"><br clear="none"><br clear="none">_______________________________________________<br clear="none">Users mailing list<br clear="none"><a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br clear="none"><br clear="none"></div> </div> </div> </div></div> </div></div></div><br><br></div> </div> </div> </div> </div></body></html>