[strongSwan] ICMP unreachable - need to frag packets

Jay Claybaugh gambit990 at gmail.com
Sat Sep 6 04:18:21 CEST 2014 

I've setup a ikev2 VPN between a phone running android 4.4.2 with the
StrongSwan 1.4.0 client and an OpenWRT server running Attitude Adjustment.

However, I'm having trouble with traffic packets not transferring correctly.
I believe the issue is that the encapsulated packets add to the original
payload and consequently exceed the MTU.  So only packets sent with a
smaller length are successfully received.

I've added the following line to the StrongSwan server's iptables:

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu

This appears to help some but packets sent from external sources to my phone
still exceed the MTU and the source either ignores or doesn't receive the
corresponding ICMP "unreachable - need to frag" response.

I've enabled logging on the firewall and nothing is apparently being
filtered by my server's firewall (although I'm not very expert with this
firewall).

The following is an excerpt from tcpdump showing the incoming packets and
the outgoing ICMP.

01:49:10.781209 IP My.IP.43953 > 54.243.165.228.80: Flags [.], ack 440, win
245, options [nop,nop,TS val 1402179 ecr 934076867], length 0

01:49:10.781256 IP 93.184.216.146.443 > My.IP.49187: Flags [.], seq
1461:2921, ack 399, win 245, length 1460

01:49:10.781362 IP My.IP > 93.184.216.146: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.781387 IP 93.184.216.146.443 > My.IP.49187: Flags [P.], seq
2921:3996, ack 399, win 245, length 1075

01:49:10.784264 IP My.IP.49187 > 93.184.216.146.443: Flags [.], ack 1, win
229, options [nop,nop,sack 1 {2921:3996}], length 0

01:49:10.786403 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq 1:1449,
ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172], length 1448

01:49:10.786539 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.787454 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
1449:2897, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448

01:49:10.787572 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.787601 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
2897:4345, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448

01:49:10.787664 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.787690 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
4345:5793, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448

01:49:10.787752 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.787778 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
5793:7241, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448

01:49:10.787840 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.787865 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
7241:8689, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448

01:49:10.787928 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.788403 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
8689:10137, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448

01:49:10.788520 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.788548 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
10137:11585, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448

01:49:10.788609 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.789050 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
11585:13033, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448

01:49:10.789156 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.789184 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
13033:14481, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448

01:49:10.789247 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need to
frag (mtu 1422), length 556

01:49:10.807630 IP 31.13.65.49.443 > My.IP.38113: Flags [.], seq 9080:10450,
ack 1497, win 242, options [nop,nop,TS val 672677314 ecr 1402172], length
1370

01:49:10.808085 IP 31.13.65.49.443 > My.IP.38113: Flags [P.], seq
10450:10754, ack 1497, win 242, options [nop,nop,TS val 672677314 ecr
1402172], length 304

01:49:10.808311 IP 31.13.65.49.443 > My.IP.38113: Flags [.], seq
10754:12124, ack 1497, win 242, options [nop,nop,TS val 672677314 ecr
1402172], length 1370

As seen, the incoming packets are repeated as if the ICMP is not received.
The result is very inferior network responsiveness from a user perspective.
Any ideas on how to overcome this?

 

Jay

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140905/c19e2a64/attachment.html>

More information about the Users mailing list