[strongSwan] Limit path MTU of IPsec between hosts
Noel Kuntze
noel at familie-kuntze.de
Sat Aug 23 15:00:16 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Johannes,m Tobias and Listreaders,
I still have problems with hosts on the network that send packets with length > pmtu/mss and df bit set.
That generates an ICMP HOST UNREACHABLE (FRAGMENTATION NEEDED) error message that is sent by the ds-lite gateway to the VPN endpoint in the LAN.
Is there a way to relay that icmp error message to the original sender or force fragmentation on the VPN endpoint?
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 22.08.2014 um 12:26 schrieb Johannes Hubertz:
> Hello Noel, Tobias and Listreaders.
>
> I'm oing on the strongswan gateway (4.5.2) based on Debian following
> setting:
>
> iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280
>
> Changing PCs behind the gateway is not neccessary. But it might be agood
> idea to have the iptables on both ends of the IPsec-tunnel.
>
> That solves? perhaps more than I need, but it works well.
>
> Kind regards, happy working
> Johannes
>
>
>
> On 22.08.2014 10:46, Noel Kuntze wrote:
>> Hello Tobias,
>>
>> I tried the iptables commands on the VPN endpoint, which SNATs the connections to the internet, but that didn't work.
>> What worked was doing it on the VPN initiator in my LAN, which connects to the internet over the other endpoint. No idea why only that works.
>> Thanks!
>>
>> Regards,
>> Noel Kuntze
>>
>> GPG Key id: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 22.08.2014 um 10:29 schrieb Tobias Brunner:
>>> Hi Noel,
>>
>>>> Is there a way to limit the mss that is encapsulated into the ESP packets
>>>> and/or cause fragmentation on either of the endpoints?
>>
>>> You can do so via iptables [1] or the patches at [2].
>>
>>> Regards,
>>> Tobias
>>
>>> [1] http://lartc.org/howto/lartc.cookbook.mtu-mss.html
>>> [2] https://wiki.strongswan.org/issues/632#note-14
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJT+JBgAAoJEDg5KY9j7GZYdwAP/1HW2ifv7+m7fCc0MIU2sLYn
NcBd5hDje65Q5d+rkYRPmtdHvL/bTE53jKZ7+0plU4xz78Z6eSZ8J7Xk0bEdYqIK
EI9seQFbdU+XrsAr65KM7dKFRqIqjXiPVFro4Q/II6Qb7s3X48ZmCGR3Gh44uSqp
sJ+JmVrUaywam8XwTXxUXx//lyEgS7FrmzW7pq9+b67WseLRft0aGazMTuHVdrGc
V8If2dLPo/cwj30uagcz2Bx6FEhVezQ7EAWMQ3q/xlDrU5knmPn7rAE+MYEBH/XS
ogpbYuJDhxQRwKtl//5O41pw79czAwDmUPsz/ExWXklDyhsIRBHEaYAQW7PTxOHd
BhZfsYWnGP+PJl/ySieOaXp+Qgvj6hbf+w6t9MC1J185FyeOm6WcfIx8RIeSKn/l
5O8EviSqE5SZbcniLOGXG3Ur8z8q3c/VO/fk4ZNVKIqVf+cd28HPQHvLvUcbFzoG
zPbOlsd5Kd77p/FOWqze//NYD9Ka+Iqe5OeALraajItWB9ztsBsQfIazTMvhWev8
YqMhAT7i4yUeSKxjz+gv3b5Bk9BoGGJQchX4ebWlkMsKFEICd1CYAP9mnCCRf0VW
m8VDzz+BYz5kP/yREMeJCyVZBk3zb6UgpL8BGJr0C36880eOm/YjfjHfEp5CwEt1
U2PFAwHsISk5EljjcHyz
=PdBL
-----END PGP SIGNATURE-----
More information about the Users
mailing list