[strongSwan] Limit path MTU of IPsec between hosts

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Oh and what I forgot was, that the kernel doesn't fragment the ESP packet and just sends it, ignoring the discovered path mtu.

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 23.08.2014 um 23:32 schrieb Johannes Hubertz:
> Hello Noel and Listreaders,
>
> if your gateway is sending esp packets which need to be fragmented, the
> only way to change this is by setting smaller mtu-sizes on the outgoing
> interfaces of those hosts, which are sending these ESP-packets. The
> behavior of ESP is totally independend from tcp-mss, sorry for my
> misreading of your first mail.
>
> Pehaps you like to find out a maximum usable mtu-size by sending pings
> with icnreasing paket-sizes (-s xyz) while watching with tcpdump, whats
> coming back. Of course, icmp echo-request and echo-reply must not be
> filtered on your gateways in INPUT and OUTPUT chains. And you need to
> run tcpdump on the gateway(s) or on a router in between them.
>
> Happy working,
> Have fun!
>
> Johannes
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJT+QsuAAoJEDg5KY9j7GZYiJAP/iSHOYYZQHNJ7H0EOLAqEvB5
mmR8BzSxS+Qm4f9xmQ3AdQjrRBMMmBFLfgj4SwUP8cwHpNiKudSpyb4MezuYp0Y4
hFGHk/zeBu/81esqZXpSb6pZvwQymUi/s9v3n3V9hvFBJbq5/7lTOf0PdcskYfca
t0KfJvzx3E1m4DLCLM2ICuy57P9dvNWKLomoYCeQmXQeZYmuCBt+U6BZG6U8b3zd
cCak2T4bSZ2zoD6oHjWzX0pO39yFhUhKd+5hCvPX/oDcbmTcI8Oh1iG9JoUdti6s
aqOBiByuz2YVTDLNEkWTMfusmQWczsKhBEybqU0kjnxGQKFPXUWLaqEwSIF6dpsF
VFvZKtoz3dCuyGqTLHvl3ZAfUlw6Wwn9kRhFBkxeuEYCXJt/tQPutGpcanFkokIZ
a9HzdAXx9MZrBTkLxvwQBDjFr5bpQg8wrmkpiwiAApyUQ1lQ7hex3vpeJlQI5iZ/
LCTxvzhN9IJH7O+b+Ed/A0Ba6r2alJ1w1ja4ZV+ZQvw2tMwzLywAalS8S+tLOf9x
or9re/Kbg07Irvpik9fm19aeFTlQRa23/WPSwKvA5P/xQws/sgE7NE84ZcAA47VT
+OJQswXdnH5qwJyB2GDpdTsVZx8HJkwLDIRdq267UQI3LQf8qVeTh45SUPzzfidf
KvE47Ev4VLDrqYAJ6grJ
=Mhes
-----END PGP SIGNATURE-----