[strongSwan] Limit path MTU of IPsec between hosts

Johannes Hubertz johannes at hubertz.de
Sat Aug 23 23:32:16 CEST 2014

Hello Noel and Listreaders,

if your gateway is sending esp packets which need to be fragmented, the
only way to change this is by setting smaller mtu-sizes on the outgoing
interfaces of those hosts, which are sending these ESP-packets. The
behavior of ESP is totally independend from tcp-mss, sorry for my
misreading of your first mail.

Pehaps you like to find out a maximum usable mtu-size by sending pings
with icnreasing paket-sizes (-s xyz) while watching with tcpdump, whats
coming back. Of course, icmp echo-request and echo-reply must not be
filtered on your gateways in INPUT and OUTPUT chains. And you need to
run tcpdump on the gateway(s) or on a router in between them.

Happy working,
Have fun!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140823/7f96cffa/attachment.pgp>

More information about the Users mailing list