[strongSwan] Limit path MTU of IPsec between hosts

Noel Kuntze noel at familie-kuntze.de
Sat Aug 23 23:43:40 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Johannes and list readers,

Getting the mtu isn't a real fix, because the kernel copies the df bit from the encapsulated packet onto the ESP packet. I saw that using tcpdump and wireshark on the local VPN endpoint.
Maybe setting a low path mtu for the route over the gateway fixes that (mtu lock 1400), so the local VPN endpoint sends ICMP error messages to the actual sender to tell it to fragment the packet.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 23.08.2014 um 23:32 schrieb Johannes Hubertz:
> Hello Noel and Listreaders,
>
> if your gateway is sending esp packets which need to be fragmented, the
> only way to change this is by setting smaller mtu-sizes on the outgoing
> interfaces of those hosts, which are sending these ESP-packets. The
> behavior of ESP is totally independend from tcp-mss, sorry for my
> misreading of your first mail.
>
> Pehaps you like to find out a maximum usable mtu-size by sending pings
> with icnreasing paket-sizes (-s xyz) while watching with tcpdump, whats
> coming back. Of course, icmp echo-request and echo-reply must not be
> filtered on your gateways in INPUT and OUTPUT chains. And you need to
> run tcpdump on the gateway(s) or on a router in between them.
>
> Happy working,
> Have fun!
>
> Johannes
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJT+QsMAAoJEDg5KY9j7GZYvUYP/04ununSdOot3Ajs3+gRQ/qE
1c+7qCrKj/zYu3+rcdMEvLfzhXg+Uifejq3+QCNqq3/EFpobAWOIQU9HjIp/Wbdd
wHoIJZ6zak8B/0IqpDk+FPay03z3339ghLc9vMp4QXde8W89661zGu6AryNWDWBg
nqb9UhkWHraNyXwQu/o+cDmw8aVzPxs/E67U9boZreyuDmt1M3weN4H0Z306yzxp
YnqtEkG3HhSFXY03+mGYoX/LGOjk74JR5KDPp843mOofWVYJmPDU9fSDaHil+Fi7
Ms8Ofn+CkQMz7a/ZzmTOd8iNXByxh3sB7XR26JmWqYJEtaMa7Ux47oAKltaCr+4R
6+LCs9fYMhkfEH4ch8gHP6e6qt1yMgdZFp6GZxofxhhcPn99TDGWWS9qPJiA02Vh
gvPQlsGMKqVYGqBV6ErQlfumJvo1gjEe2dEUzouzy5Un5DKpvO51dxK2ypZ41gyj
SK2+vFZZeiMQSI9ugGHz7Wt9cMN0PCreRhIBIjgEXJ3i4d34fCNW1bjfHlN0u4LU
2LG0ElOvYi1Rz4hkppWgzPzGk1+QQBxpJEzs3axiM/mhccbse1CAIG3F35/PcMi4
MCD9lQO2ly/dE7ZUaw3+6y7h0Eq3xGX8sdj3Bfl4WHkBE/uSRrjJsSucBr9BstXq
bDPE+OdPDn8phC+tupmZ
=JF25
-----END PGP SIGNATURE-----



More information about the Users mailing list