Jay Claybaugh <gambit990 at ...> writes:
>
>
> I’ve setup a ikev2 VPN between a phone running android 4.4.2 with the
StrongSwan 1.4.0 client and an OpenWRT server running Attitude Adjustment.
> However, I’m having trouble with traffic packets not transferring
correctly. I believe the issue is that the encapsulated packets add to the
original payload and consequently exceed the MTU. So only packets sent
with a smaller length are successfully received.
> I’ve added the following line to the StrongSwan server’s iptables:
> iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
> This appears to help some but packets sent from external sources to my
phone still exceed the MTU and the source either ignores or doesn’t receive
the corresponding ICMP “unreachable - need to frag” response.
> I’ve enabled logging on the firewall and nothing is apparently being
filtered by my server’s firewall (although I’m not very expert with this
firewall).
> The following is an excerpt from tcpdump showing the incoming packets and
the outgoing ICMP.
> 01:49:10.781209 IP My.IP.43953 > 54.243.165.228.80: Flags [.], ack 440,
win 245, options [nop,nop,TS val 1402179 ecr 934076867], length 0
> 01:49:10.781256 IP 93.184.216.146.443 > My.IP.49187: Flags [.], seq
1461:2921, ack 399, win 245, length 1460
> 01:49:10.781362 IP My.IP > 93.184.216.146: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.781387 IP 93.184.216.146.443 > My.IP.49187: Flags [P.], seq
2921:3996, ack 399, win 245, length 1075
> 01:49:10.784264 IP My.IP.49187 > 93.184.216.146.443: Flags [.], ack 1,
win 229, options [nop,nop,sack 1 {2921:3996}], length 0
> 01:49:10.786403 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
1:1449, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448
> 01:49:10.786539 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.787454 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
1449:2897, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448
> 01:49:10.787572 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.787601 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
2897:4345, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448
> 01:49:10.787664 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.787690 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
4345:5793, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448
> 01:49:10.787752 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.787778 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
5793:7241, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448
> 01:49:10.787840 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.787865 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
7241:8689, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448
> 01:49:10.787928 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.788403 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
8689:10137, ack 560, win 514, options [nop,nop,TS val 3473487 ecr 1402172],
length 1448
> 01:49:10.788520 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.788548 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
10137:11585, ack 560, win 514, options [nop,nop,TS val 3473487 ecr
1402172], length 1448
> 01:49:10.788609 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.789050 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
11585:13033, ack 560, win 514, options [nop,nop,TS val 3473487 ecr
1402172], length 1448
> 01:49:10.789156 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.789184 IP 204.79.197.200.80 > My.IP.52429: Flags [.], seq
13033:14481, ack 560, win 514, options [nop,nop,TS val 3473487 ecr
1402172], length 1448
> 01:49:10.789247 IP My.IP > 204.79.197.200: ICMP My.IP unreachable - need
to frag (mtu 1422), length 556
> 01:49:10.807630 IP 31.13.65.49.443 > My.IP.38113: Flags [.], seq
9080:10450, ack 1497, win 242, options [nop,nop,TS val 672677314 ecr
1402172], length 1370
> 01:49:10.808085 IP 31.13.65.49.443 > My.IP.38113: Flags [P.], seq
10450:10754, ack 1497, win 242, options [nop,nop,TS val 672677314 ecr
1402172], length 304
> 01:49:10.808311 IP 31.13.65.49.443 > My.IP.38113: Flags [.], seq
10754:12124, ack 1497, win 242, options [nop,nop,TS val 672677314 ecr
1402172], length 1370
> As seen, the incoming packets are repeated as if the ICMP is not
received. The result is very inferior network responsiveness from a user
perspective. Any ideas on how to overcome this?
>
> Jay
>
>
> <div><div class="WordSection1">
> <p class="MsoNormal">I’ve setup a ikev2 VPN between a phone running
android 4.4.2 with the StrongSwan 1.4.0 client and an OpenWRT server
running Attitude Adjustment.<p></p></p>
> <p class="MsoNormal">However, I’m having trouble with traffic
packets not transferring correctly. I believe the issue is that the
encapsulated packets add to the original payload and consequently exceed
the MTU. So only packets sent with a smaller length are successfully
received.<p></p></p>
> <p class="MsoNormal">I’ve added the following line to the
StrongSwan server’s iptables:<p></p></p>
> <p class="MsoNormal">iptables -t mangle -A FORWARD -p tcp --tcp-flags
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu<p></p></p>
> <p class="MsoNormal">This appears to help some but packets sent from
external sources to my phone still exceed the MTU and the source either
ignores or doesn’t receive the corresponding ICMP “unreachable
- need to frag” response.<p></p></p>
> <p class="MsoNormal">I’ve enabled logging on the firewall and
nothing is apparently being filtered by my server’s firewall
(although I’m not very expert with this firewall).<p></p></p>
> <p class="MsoNormal">The following is an excerpt from tcpdump showing the
incoming packets and the outgoing ICMP.<p></p></p>
> <p class="MsoNormal">01:49:10.781209 IP My.IP.43953 >
54.243.165.228.80: Flags [.], ack 440, win 245, options [nop,nop,TS val
1402179 ecr 934076867], length 0<p></p></p>
> <p class="MsoNormal">01:49:10.781256 IP 93.184.216.146.443 >
My.IP.49187: Flags [.], seq 1461:2921, ack 399, win 245, length
1460<p></p></p>
> <p class="MsoNormal">01:49:10.781362 IP My.IP > 93.184.216.146: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.781387 IP 93.184.216.146.443 >
My.IP.49187: Flags [P.], seq 2921:3996, ack 399, win 245, length
1075<p></p></p>
> <p class="MsoNormal">01:49:10.784264 IP My.IP.49187 >
93.184.216.146.443: Flags [.], ack 1, win 229, options [nop,nop,sack 1
{2921:3996}], length 0<p></p></p>
> <p class="MsoNormal">01:49:10.786403 IP 204.79.197.200.80 >
My.IP.52429: Flags [.], seq 1:1449, ack 560, win 514, options [nop,nop,TS
val 3473487 ecr 1402172], length 1448<p></p></p>
> <p class="MsoNormal">01:49:10.786539 IP My.IP > 204.79.197.200: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.787454 IP 204.79.197.200.80 >
My.IP.52429: Flags [.], seq 1449:2897, ack 560, win 514, options
[nop,nop,TS val 3473487 ecr 1402172], length 1448<p></p></p>
> <p class="MsoNormal">01:49:10.787572 IP My.IP > 204.79.197.200: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.787601 IP 204.79.197.200.80 >
My.IP.52429: Flags [.], seq 2897:4345, ack 560, win 514, options
[nop,nop,TS val 3473487 ecr 1402172], length 1448<p></p></p>
> <p class="MsoNormal">01:49:10.787664 IP My.IP > 204.79.197.200: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.787690 IP 204.79.197.200.80 >
My.IP.52429: Flags [.], seq 4345:5793, ack 560, win 514, options
[nop,nop,TS val 3473487 ecr 1402172], length 1448<p></p></p>
> <p class="MsoNormal">01:49:10.787752 IP My.IP > 204.79.197.200: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.787778 IP 204.79.197.200.80 >
My.IP.52429: Flags [.], seq 5793:7241, ack 560, win 514, options
[nop,nop,TS val 3473487 ecr 1402172], length 1448<p></p></p>
> <p class="MsoNormal">01:49:10.787840 IP My.IP > 204.79.197.200: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.787865 IP 204.79.197.200.80 >
My.IP.52429: Flags [.], seq 7241:8689, ack 560, win 514, options
[nop,nop,TS val 3473487 ecr 1402172], length 1448<p></p></p>
> <p class="MsoNormal">01:49:10.787928 IP My.IP > 204.79.197.200: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.788403 IP 204.79.197.200.80 >
My.IP.52429: Flags [.], seq 8689:10137, ack 560, win 514, options
[nop,nop,TS val 3473487 ecr 1402172], length 1448<p></p></p>
> <p class="MsoNormal">01:49:10.788520 IP My.IP > 204.79.197.200: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.788548 IP 204.79.197.200.80 >
My.IP.52429: Flags [.], seq 10137:11585, ack 560, win 514, options
[nop,nop,TS val 3473487 ecr 1402172], length 1448<p></p></p>
> <p class="MsoNormal">01:49:10.788609 IP My.IP > 204.79.197.200: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.789050 IP 204.79.197.200.80 >
My.IP.52429: Flags [.], seq 11585:13033, ack 560, win 514, options
[nop,nop,TS val 3473487 ecr 1402172], length 1448<p></p></p>
> <p class="MsoNormal">01:49:10.789156 IP My.IP > 204.79.197.200: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.789184 IP 204.79.197.200.80 >
My.IP.52429: Flags [.], seq 13033:14481, ack 560, win 514, options
[nop,nop,TS val 3473487 ecr 1402172], length 1448<p></p></p>
> <p class="MsoNormal">01:49:10.789247 IP My.IP > 204.79.197.200: ICMP
My.IP unreachable - need to frag (mtu 1422), length 556<p></p></p>
> <p class="MsoNormal">01:49:10.807630 IP 31.13.65.49.443 > My.IP.38113:
Flags [.], seq 9080:10450, ack 1497, win 242, options [nop,nop,TS val
672677314 ecr 1402172], length 1370<p></p></p>
> <p class="MsoNormal">01:49:10.808085 IP 31.13.65.49.443 > My.IP.38113:
Flags [P.], seq 10450:10754, ack 1497, win 242, options [nop,nop,TS val
672677314 ecr 1402172], length 304<p></p></p>
> <p class="MsoNormal">01:49:10.808311 IP 31.13.65.49.443 > My.IP.38113:
Flags [.], seq 10754:12124, ack 1497, win 242, options [nop,nop,TS val
672677314 ecr 1402172], length 1370<p></p></p>
> <p class="MsoNormal">As seen, the incoming packets are repeated as if the
ICMP is not received. The result is very inferior network
responsiveness from a user perspective. Any ideas on how to overcome
this?<p></p></p>
> <p class="MsoNormal"><p> </p></p>
> <p class="MsoNormal">Jay<p></p></p>
> </div></div>
>
With further research, I believe I've come across a solution so I thought
I'd post it in case it helps others.
It appears that some of the major web sites may be blocking ICMP packets so
they never see the "need to frag" request. Adding the following to
firewall.user requests an mss of 1360 from the web site so that when
strongswan encapsulates the received payload for re-transmission to the
android client, the composite packet doesn't exceed the MTU. This is
probably not the most efficient use of bandwidth but at least it allows
traffic to flow normally.
iptables -t mangle -A FORWARD -o eth1 \
-p tcp -m tcp --tcp-flags SYN,RST SYN \
-s 192.168.6.0/24 \
-j TCPMSS --set-mss 1360