[strongSwan] Limit path MTU of IPsec between hosts
johannes at hubertz.de
Fri Aug 22 12:26:25 CEST 2014
Hello Noel, Tobias and Listreaders.
I'm oing on the strongswan gateway (4.5.2) based on Debian following
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280
Changing PCs behind the gateway is not neccessary. But it might be agood
idea to have the iptables on both ends of the IPsec-tunnel.
That solves? perhaps more than I need, but it works well.
Kind regards, happy working
On 22.08.2014 10:46, Noel Kuntze wrote:
> Hello Tobias,
> I tried the iptables commands on the VPN endpoint, which SNATs the connections to the internet, but that didn't work.
> What worked was doing it on the VPN initiator in my LAN, which connects to the internet over the other endpoint. No idea why only that works.
> Noel Kuntze
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 22.08.2014 um 10:29 schrieb Tobias Brunner:
>> Hi Noel,
>>> Is there a way to limit the mss that is encapsulated into the ESP packets
>>> and/or cause fragmentation on either of the endpoints?
>> You can do so via iptables  or the patches at .
>>  http://lartc.org/howto/lartc.cookbook.mtu-mss.html
>>  https://wiki.strongswan.org/issues/632#note-14
> Users mailing list
> Users at lists.strongswan.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 259 bytes
Desc: OpenPGP digital signature
More information about the Users