[strongSwan] Limit path MTU of IPsec between hosts

Noel Kuntze noel at familie-kuntze.de
Fri Aug 22 10:46:29 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Tobias,

I tried the iptables commands on the VPN endpoint, which SNATs the connections to the internet, but that didn't work.
What worked was doing it on the VPN initiator in my LAN, which connects to the internet over the other endpoint. No idea why only that works.
Thanks!

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 22.08.2014 um 10:29 schrieb Tobias Brunner:
> Hi Noel,
> 
>> Is there a way to limit the mss that is encapsulated into the ESP packets
>> and/or cause fragmentation on either of the endpoints?
> 
> You can do so via iptables [1] or the patches at [2].
> 
> Regards,
> Tobias
> 
> [1] http://lartc.org/howto/lartc.cookbook.mtu-mss.html
> [2] https://wiki.strongswan.org/issues/632#note-14
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJT9wNkAAoJEDg5KY9j7GZY+pkP/REYNAEw9Z5HFOUSfO7FR4eq
CYVC3a36FH9HIdV+47h3skmhUOJHnH75OB6tx5qHsNZ+AM8d98Rsd/GdhAdojhs7
QX7MLeiHk52NoOC/Me4i5RQxMcLDg7Juy3D0hYQX0/96HJJHNkaws/tmf78+MATy
/CExc+str+NP4WXl7W5jOEuPPUkTqwr5aJayQdTPE8sDM0vmj2k8ptEF8Za5GFPF
z/dazxdchDZuZNRBisU1//XmskxuScpawTxdUsaEqnrdBJdxS0lsTbcGr83WPaxI
HHU5qeKAkhXcwEyKpzRzeFkt1oaQ/AfnteKkxwjhYNu1gxLByr4VEXQ17iLzt91F
1HRQIaLtxHc6vb6DtA4ytBnibp/SlzgefCygsElkmhfG9TYVWZ3WHxkXZdXG1ZNm
/KF3oswiuxbd1n42FgHujfp85gEfJIolZ9pzXSvxdjyGWOX1bJTLI3ZCC5KF19k1
uxKh8KLPl07Eozyt94/Cyz0QVcV2vMDyVS8ORvWV4r02TZNPp17vxBqOweVmq4/5
KkxJKvtSFuwYhd7Xdu6ZKMpHIbJ05HQ7w1kZLe9haCsZhhjidyCoG+r6BbJw98ua
xjc3WKfO/hLB5gzlZ6uRxoCvAMVmNxioTnBRFTYIpJ8avSrXRta/Qf6phqXP4h0Q
Bixk0512aPLqpEkPmi7T
=ab4B
-----END PGP SIGNATURE-----


More information about the Users mailing list