[strongSwan] Limit path MTU of IPsec between hosts
Johannes Hubertz
johannes at hubertz.de
Sat Aug 23 23:32:16 CEST 2014
Hello Noel and Listreaders,
if your gateway is sending esp packets which need to be fragmented, the
only way to change this is by setting smaller mtu-sizes on the outgoing
interfaces of those hosts, which are sending these ESP-packets. The
behavior of ESP is totally independend from tcp-mss, sorry for my
misreading of your first mail.
Pehaps you like to find out a maximum usable mtu-size by sending pings
with icnreasing paket-sizes (-s xyz) while watching with tcpdump, whats
coming back. Of course, icmp echo-request and echo-reply must not be
filtered on your gateways in INPUT and OUTPUT chains. And you need to
run tcpdump on the gateway(s) or on a router in between them.
Happy working,
Have fun!
Johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140823/7f96cffa/attachment.pgp>
More information about the Users
mailing list