[strongSwan] Strongswan IPv6 and MTU\MSS

Eric_C_Johnson at Dell.com Eric_C_Johnson at Dell.com
Thu Mar 8 16:34:20 CET 2012


I never heard back on this from anybody.  I am responding because I continue to see this problem regularly.  For whatever reason my Strongswan host inconsistently negotiates standard frames when jumbo frames are enabled.  If I disable IPSec I negotiate jumbo frames 100% of the time.  The problem appears only when trying to negotiate MTU over IPSec.  And even then I can negotiate jumbo frames periodically.

Does anybody know if there is a directive in Strongswan that forces jumbo frames?

Thanks in advance.

From: Johnson, Eric C
Sent: Thursday, February 09, 2012 8:18 AM
To: users at lists.strongswan.org
Subject: Strongswan IPv6 and MTU\MSS


I've run into an issue where I cannot negotiate jumbo frames consistently for iSCSI connections over an IPv6 based IPSec tunnel. The unusual part is if I logout and login my iSCSI connections repeatedly jumbo frames will eventually get negotiated.   If I disable IPSec, the iSCSI connections negotiate jumbo frames 100% of the time.  It does not matter if I use IKEv1\IKEv2 or PSK\certs.  The problem is consistently reproducible if I use IPv6.  Additionally I do not see this problem for iSCSI connections over an IPv4 based IPSec tunnel (using IKEv1\IKEv2 or PSK\certs).

I took a trace of the  negotiation problem and after decrypting the ESP packets it appears the Strongswan host is sending an MSS of 1220 bytes when standard frames are negotiated and an MSS of 8940 bytes when jumbo frames are negotiated.  I've verified via ifconfig that the MTU of my interface is '9000'.  Outside of Strongswan IPSec with IPv6 I do not see this problem.

Is this a known issue?  If so, does anybody know if there is a workaround?

Thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120308/ac7c3798/attachment.html>

More information about the Users mailing list