[strongSwan] Limit path MTU of IPsec between hosts

Johannes Hubertz johannes at hubertz.de
Fri Aug 22 12:26:25 CEST 2014

Hello Noel, Tobias and Listreaders.

I'm oing on the strongswan gateway (4.5.2) based on Debian following

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280

Changing PCs behind the gateway is not neccessary. But it might be agood
idea to have the iptables on both ends of the IPsec-tunnel.

That solves? perhaps more than I need, but it works well.

Kind regards, happy working

On 22.08.2014 10:46, Noel Kuntze wrote:
> Hello Tobias,
> I tried the iptables commands on the VPN endpoint, which SNATs the connections to the internet, but that didn't work.
> What worked was doing it on the VPN initiator in my LAN, which connects to the internet over the other endpoint. No idea why only that works.
> Thanks!
> Regards,
> Noel Kuntze
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 22.08.2014 um 10:29 schrieb Tobias Brunner:
>> Hi Noel,
>>> Is there a way to limit the mss that is encapsulated into the ESP packets
>>> and/or cause fragmentation on either of the endpoints?
>> You can do so via iptables [1] or the patches at [2].
>> Regards,
>> Tobias
>> [1] http://lartc.org/howto/lartc.cookbook.mtu-mss.html
>> [2] https://wiki.strongswan.org/issues/632#note-14
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140822/2e295edf/attachment.pgp>

More information about the Users mailing list