[strongSwan] IP Fragmentation problems on some websites

Mirko Parthey mirko.parthey at informatik.tu-chemnitz.de
Sun Jul 22 02:08:58 CEST 2012

On Sat, Jul 21, 2012 at 10:14:55AM -0700, Mark M wrote:
> I got my strongSwan gateway up and running. It is sitting behind my FIOS router
> and acting as VPN gateway for roadwarrior/mobile clients. I thought everything
> was working great until i noticed that some websites do not load. The first one
> i found was yahoo.com. I fired up Wireshark and noticed when i receive packets
> back from yahoo.com my strongSwan gateway sends Fragmentation needed ICMP
> messages back.

"Fragmentation needed" messages are not a problem themselves. They just
ask the original sender to reduce its maximum packet size for future
transmissions to the same destination (Path MTU discovery).

The trouble starts when these "Fragmentation needed" messages do not
arrive because they are dropped by a misconfigured firewall, most likely
near the server, perhaps also at your site.  The web server will then
continue sending packets too large to be forwarded by your gateway.

IPsec encapsulation (ESP) adds some size overhead, so it is likely
triggering this problem for you.  In other scenarios, any tunneling
protocol or any link with an MTU less than 1500 can be a trigger as well.

> Setting the MTU on my strongSwan gateway interfaces had no effect. I then set
> the MTU on my verizon FIOS router to 1400 and some pages would start to work
> ok, like yahoo.com would start to work but still others would not with the same
> fragmentation problem.

Reducing the MTU on some intermediate router's interfaces is unlikely to
fix the problem.

> Instead of putting the MTU on my FISO router way down and possibly have other
> performance problems, is there an easy way to fix this?

The best option would be to fix the root cause and make sure the
"Fragmentation needed" messages get through.

Where this is not possible, or as a general safeguard, I can recommend
this workaround from the iptables manpage:

  iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

It only affects TCP, but usually this is sufficient.  On a PPPoE link with
an MTU of 1492, it eliminated all MTU-related problems for me.

Kind regards,

More information about the Users mailing list