[strongSwan] MTU / fragmentation

Ali Masoudi masoudi1983 at gmail.com
Sat Feb 23 07:44:15 CET 2013


Hi

I'm not sure about this, but I think there are some other posts in
mailing list about that. I had this problem too a while ago and I
solved it as you did. But you can use iptables with MSS clamp like
this at your side:

# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu

# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128

Best wishes

On Thu, Feb 21, 2013 at 6:03 PM, kgardenia42 <kgardenia42 at googlemail.com> wrote:
> Hi,
>
> I have a recurring problem whereby when connected to strongswan 5.0.2
> in AWS (same client version) I can't do:
>
>    curl http://www.2600.com
>
> It just stalls/blocks on the client side and never returns.   I'm not
> sure what it is about that site.  Generally all other sites work fine.
>  I have seen the same thing on multiple installs.
>
> When I tcpdump on the server side I can see lots of spinning packets
> that look like this:
>
> 14:29:03.782376 IP <aws hostname > 207.99.30.226: ICMP <aws hostname>
> unreachable - need to frag (mtu 1422), length 556
>
> When I set the MTU on my (Ubuntu) client machine down from 1500 to
> 1400 this goes away.
>
> It isn't an option to tell users to change MTU on their client
> machines.  Is there some configuration setting I need to use here to
> avoid this?  either within or external to strongswan.
>
> Thanks,
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users




More information about the Users mailing list