[strongSwan] Some sites don't load or timeout because of IP fragmentation problems

Noel Kuntze noel at familie-kuntze.de
Mon Mar 9 04:07:35 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Mark,

There are two things you can do:
*Set the MTU strongSwan sets on the installed routes to one that includes the overhead of
 the UDP encapsulation and esp header/trailer (since version 5.2.2)
*Use iptables to adjust the announced MSS (Maximum Segment Size) of TCP connections to include
 the overhead of UDP encapsulation and the esp header/trailer (that can be done with strongswan, too)

Personally, I do both:
Note that I am lazy and just set MSS and MTU to 1300.

# Generated by iptables-save v1.4.21 on Mon Mar  9 02:38:12 2015
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
- -A FORWARD -s 172.16.20.0/23 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300
COMMIT
# Completed on Mon Mar  9 02:38:12 2015

(That goes into the charon or charon-systemd section in strongswan.conf. Depends on what charon binary you use.)

    plugins {
                kernel-netlink {
                        mtu = 1300
                        mss = 1300
                }
     }


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 09.03.2015 um 02:32 schrieb Mark M:
> I have a strongSwan server up and running behind my home Verizon FiOS router and have my phone with the android client using a virtual IP connecting to it and sending all traffic to the server and having the server send the traffic back out my internet connection. The setup looks like this - android client > Verizon router forwarded to strongSwan server >: strongSwan server sends requests out to the internet > sends back to android client over tunnel.
>
> Everything works great except that a lot of websites do not load or start to load and then timeout. This has something to do with IP fragmentation not working. In Wireshark, I see the strongSwan server sending back ICMP destination unreachable (Fragmentation needed) back to the servers that are timing out. I was running a strongSwan server a few years back and had the same problem. The solution was to change the MTU on my Verizon router to 1400 and it fixed most of the fragmentation problems, but some sites still had this issue.
>
> I still think something is broken with this and can be fixed without setting the MTU. I think path discovery or something like that is broken somewhere, possibly with the strongSwan server.
>
> Does anyone know how to fix this issue?
>
> Thanks,
>
> Mark-
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU/Q50AAoJEDg5KY9j7GZYi4IP/33llLRWR911StkCxsw+t0mJ
XrmtuHA+1Lly42smiyYkX4l0EER5BGa3MD7GjlfE1GYGvgwZP5ZOzRYDFga/a3Dp
tddlzX6LNSrNRSxCantLVvnk7yRZUjF+sWB96T/b5JfTADF1hYAN5y30lcmBZCOf
oU65WmBU1gvUwo02df5aX084fmkuMI6dKF+Uv6HdZ49AglfRRR7+aTnW042cu/V9
Ozix58jc9O/mXNsLNJx13PDxYjzyPzmg9Bs8O/G5yL4hW5l9d27rBWYV5pVI4Ql4
0PI6Dh758SdTqVfo73FrAokDFhrd285VWHQRD0Hbttf0nBM3vIpXvsqE616kgmys
yYFdn3FhH0ydQ+ZL72KcJYy/mBwfKxIbRzPNaJ1XrCoxCf+eeItZrIYINKOmXZRu
WWjHauc3DaHZERELfR8oqkTOI+JQe3HQ1ABTqRjoVBCBGauhYgCqO1vwNw6D1sQv
bFO75sdycat7DP7+eyHvukFkwRMBjmql4ldZSlF/Moo6lWib3FhPZQOkrfbQBUih
5xp5X4VHIhs7VPno3sA71bnu3/idjgGKTzRtTa+HAo+noo5YJjxfRcFyD/gI20KA
9AVbksM59cEYDio5Gx3fZJqDdh52orKA67GSHYKU75/c/vP/4NFu5grVDmVYL/Gl
xOwN+4t6T5SOvyoGX91x
=TXsv
-----END PGP SIGNATURE-----




More information about the Users mailing list