[strongSwan] Some sites don't load or timeout because of IP fragmentation problems

Noel Kuntze noel at familie-kuntze.de
Mon Mar 9 15:21:09 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Mark,

You use modular loading, so you need to set that in the
file /etc/strongswan.d/charon/kernel-netlink.conf.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 09.03.2015 um 05:51 schrieb Mark M:
> sending again to include the list
>
>
> On Monday, March 9, 2015 12:18 AM, Mark M <mark076h at yahoo.com> wrote:
>
>
> Noel,
>
> The plugin does not seem to work. I put my plugin info in /etc/strongswan/strongswan.conf. Here is my setup;
>
> # strongswan.conf - strongSwan configuration file
> #
> # Refer to the strongswan.conf(5) manpage for details
> #
> # Configuration changes should be made in the included files
>
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>                 kernel-netlink {
>                 mtu = 1300
>                 mss = 1300
>                 }
>                 attr {
>                 dns=192.168.1.1
>                 }
>         }
>         filelog {
>                 /var/log/strongswan.log {
>                 append = no
>                 default = 1
>                 flush_line = yes
>                 }
>         }
> }
>
>
> include strongswan.d/*.conf
>
>
>
> On Sunday, March 8, 2015 11:07 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>
>
> Hello Mark,
>
> There are two things you can do:
> *Set the MTU strongSwan sets on the installed routes to one that includes the overhead of
> the UDP encapsulation and esp header/trailer (since version 5.2.2)
> *Use iptables to adjust the announced MSS (Maximum Segment Size) of TCP connections to include
> the overhead of UDP encapsulation and the esp header/trailer (that can be done with strongswan, too)
>
> Personally, I do both:
> Note that I am lazy and just set MSS and MTU to 1300.
>
> # Generated by iptables-save v1.4.21 on Mon Mar  9 02:38:12 2015
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A FORWARD -s 172.16.20.0/23 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300
> COMMIT
> # Completed on Mon Mar  9 02:38:12 2015
>
> (That goes into the charon or charon-systemd section in strongswan.conf. Depends on what charon binary you use.)
>
>     plugins {
>                 kernel-netlink {
>                         mtu = 1300
>                         mss = 1300
>                 }
>     }
>
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 09.03.2015 um 02:32 schrieb Mark M:
> > I have a strongSwan server up and running behind my home Verizon FiOS router and have my phone with the android client using a virtual IP connecting to it and sending all traffic to the server and having the server send the traffic back out my internet connection. The setup looks like this - android client > Verizon router forwarded to strongSwan server >: strongSwan server sends requests out to the internet > sends back to android client over tunnel.
>
> > Everything works great except that a lot of websites do not load or start to load and then timeout. This has something to do with IP fragmentation not working. In Wireshark, I see the strongSwan server sending back ICMP destination unreachable (Fragmentation needed) back to the servers that are timing out. I was running a strongSwan server a few years back and had the same problem. The solution was to change the MTU on my Verizon router to 1400 and it fixed most of the fragmentation problems, but some sites still had this issue.
>
> > I still think something is broken with this and can be fixed without setting the MTU. I think path discovery or something like that is broken somewhere, possibly with the strongSwan server.
>
> > Does anyone know how to fix this issue?
>
> > Thanks,
>
> > Mark-
>
>
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU/axSAAoJEDg5KY9j7GZYsd4P/2T3wBHSGtjg9Yozk01L6xTW
+nRvfV7q6biVJboQi8FKDI5P5liAeWUwx3tDoVDoXiUQEbmW420PVY9s9Kb+eO2f
kw1PlZbRSFPJ21WehAOqG0KPe/GAWgaHwQ/04mAFBPbnUEH5Jn/pil2evWLr5jGx
UIIwb3xt/M4jLKtDSp2lOl3G/UYNxikztBn2ScLqLVm0EP2K9dovXyI65jGV3nqy
xNLBNeOsf6zZeaUCeS3qjLRhrjsUCqHqeTwz3gGNIIAKFgzkdPbz4WesAABb32Oj
GDhcNXMQqKClrcjcFBer5mDbG4BT68ouLc9SlSYO0g6OkkkwOMDI6yBZwr8CQs5H
dw2FBxJeE9V0Hn9PO0V7NLmHmaSeCYIIZgbMTssAgD9BI+hr2nG4t6i3chef4AiJ
Tc48m6D9nyzkilFgoTl8bolbXuOmopPs3BpcSGsHVD44qI5r27zX4zpPa0Ppw78o
Oe4IJX8PPqoEvIpnCO27NlS2Ru1cQpRmg+Yr7jJ7yPKwNette/7LDbtDvH3rjCom
ZtgKdbR1SOTMl7zgGuI2GGFmdDXfrGmYK6kk5b1USwulmWcAv6z5bJbP487hr4rr
bn0Rsa357QLjx9w0LNoIgFCMWo3gP3yvUytlCHjJpWKf6Rg/jCimZMyDNBuQ8vPd
44EdBBkzJh4bfioxyQRN
=IJg+
-----END PGP SIGNATURE-----

More information about the Users mailing list