[strongSwan] Limit path MTU of IPsec between hosts
Johannes Hubertz
johannes at hubertz.de
Fri Aug 22 12:26:25 CEST 2014
Hello Noel, Tobias and Listreaders.
I'm oing on the strongswan gateway (4.5.2) based on Debian following
setting:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280
Changing PCs behind the gateway is not neccessary. But it might be agood
idea to have the iptables on both ends of the IPsec-tunnel.
That solves? perhaps more than I need, but it works well.
Kind regards, happy working
Johannes
On 22.08.2014 10:46, Noel Kuntze wrote:
> Hello Tobias,
>
> I tried the iptables commands on the VPN endpoint, which SNATs the connections to the internet, but that didn't work.
> What worked was doing it on the VPN initiator in my LAN, which connects to the internet over the other endpoint. No idea why only that works.
> Thanks!
>
> Regards,
> Noel Kuntze
>
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 22.08.2014 um 10:29 schrieb Tobias Brunner:
>> Hi Noel,
>
>>> Is there a way to limit the mss that is encapsulated into the ESP packets
>>> and/or cause fragmentation on either of the endpoints?
>
>> You can do so via iptables [1] or the patches at [2].
>
>> Regards,
>> Tobias
>
>> [1] http://lartc.org/howto/lartc.cookbook.mtu-mss.html
>> [2] https://wiki.strongswan.org/issues/632#note-14
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140822/2e295edf/attachment.pgp>
More information about the Users
mailing list