[strongSwan] Some sites don't load or timeout because of IP fragmentation problems

Mark M mark076h at yahoo.com
Tue Mar 10 09:06:38 CET 2015


for some reason it stopped working after I restarted the server, 

     On Tuesday, March 10, 2015 1:45 AM, Mark M <mark076h at yahoo.com> wrote:
   

 I found that this iptables rule works- 
-A FORWARD -o enp0s3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1300:1536 -j TCPMSS --set-mss 1300
Now I am seeing a lot of TCP Retransmissions packets and sites are slow to slow. Any ideas?
 

     On Tuesday, March 10, 2015 1:06 AM, Mark M <mark076h at yahoo.com> wrote:
   

 I confirmed with Wireshark that is advertises a MSS above 1300 for some reason. Something strange is going on here, why would both methods not work? 

     On Tuesday, March 10, 2015 12:24 AM, Mark M <mark076h at yahoo.com> wrote:
   

 I removed firewalld to make it more simple, here is what it looks like and still no luck- 
[root at CENTOS7 ~]# iptables -LChain INPUT (policy ACCEPT)target     prot opt source               destinationACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHEDACCEPT     icmp --  anywhere             anywhereACCEPT     all  --  anywhere             anywhereACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:sshACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmpACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-tREJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)target     prot opt source               destinationACCEPT     all  --  192.168.9.1          anywhere             policy match dir in pol ipsec reqid 1 proto espACCEPT     all  --  anywhere             192.168.9.1          policy match dir out pol ipsec reqid 1 proto espACCEPT     all  --  anywhere             anywhereTCPMSS     tcp  --  192.168.9.0/24       anywhere             tcp flags:SYN,RST/SYN TCPMSS set 1300TCPMSS     tcp  --  192.168.1.0/24       anywhere             tcp flags:SYN,RST/SYN TCPMSS set 1300
Chain OUTPUT (policy ACCEPT)target     prot opt source               destination[root at CENTOS7 ~]#
 

     On Monday, March 9, 2015 9:57 PM, Mark M <mark076h at yahoo.com> wrote:
   

 Noel,
Does not seem to be working but I don't know if it is configured properly, i think firewalld makes it a mess. Does this look right?
[root at CENTOS7 ~]# iptables -LChain INPUT (policy ACCEPT)target     prot opt source               destinationACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHEDACCEPT     all  --  anywhere             anywhereINPUT_direct  all  --  anywhere             anywhereINPUT_ZONES_SOURCE  all  --  anywhere             anywhereINPUT_ZONES  all  --  anywhere             anywhereACCEPT     icmp --  anywhere             anywhereREJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)target     prot opt source               destinationACCEPT     all  --  192.168.9.1          anywhere             policy match dir in pol ipsec reqid 2 proto espACCEPT     all  --  anywhere             192.168.9.1          policy match dir out pol ipsec reqid 2 proto espACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHEDACCEPT     all  --  anywhere             anywhereFORWARD_direct  all  --  anywhere             anywhereFORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhereFORWARD_IN_ZONES  all  --  anywhere             anywhereFORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhereFORWARD_OUT_ZONES  all  --  anywhere             anywhereACCEPT     icmp --  anywhere             anywhereREJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibitedTCPMSS     tcp  --  192.168.1.0/24       anywhere             tcp flags:SYN,RST/SYN TCPMSS set 1300TCPMSS     tcp  --  192.168.9.0/24       anywhere             tcp flags:SYN,RST/SYN TCPMSS set 1300
Chain OUTPUT (policy ACCEPT)target     prot opt source               destinationOUTPUT_direct  all  --  anywhere             anywhere
Chain FORWARD_IN_ZONES (1 references)target     prot opt source               destinationFWDI_public  all  --  anywhere             anywhere            [goto]FWDI_public  all  --  anywhere             anywhere            [goto]FWDI_public  all  --  anywhere             anywhere            [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)target     prot opt source               destination
Chain FORWARD_OUT_ZONES (1 references)target     prot opt source               destinationFWDO_public  all  --  anywhere             anywhere            [goto]FWDO_public  all  --  anywhere             anywhere            [goto]FWDO_public  all  --  anywhere             anywhere            [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)target     prot opt source               destination
Chain FORWARD_direct (1 references)target     prot opt source               destination
Chain FWDI_public (3 references)target     prot opt source               destinationFWDI_public_log  all  --  anywhere             anywhereFWDI_public_deny  all  --  anywhere             anywhereFWDI_public_allow  all  --  anywhere             anywhere
Chain FWDI_public_allow (1 references)target     prot opt source               destination
Chain FWDI_public_deny (1 references)target     prot opt source               destination
Chain FWDI_public_log (1 references)target     prot opt source               destination
Chain FWDO_public (3 references)target     prot opt source               destinationFWDO_public_log  all  --  anywhere             anywhereFWDO_public_deny  all  --  anywhere             anywhereFWDO_public_allow  all  --  anywhere             anywhere
Chain FWDO_public_allow (1 references)target     prot opt source               destination
Chain FWDO_public_deny (1 references)target     prot opt source               destination
Chain FWDO_public_log (1 references)target     prot opt source               destination
Chain INPUT_ZONES (1 references)target     prot opt source               destinationIN_public  all  --  anywhere             anywhere            [goto]IN_public  all  --  anywhere             anywhere            [goto]IN_public  all  --  anywhere             anywhere            [goto]
Chain INPUT_ZONES_SOURCE (1 references)target     prot opt source               destination
Chain INPUT_direct (1 references)target     prot opt source               destination
Chain IN_public (3 references)target     prot opt source               destinationIN_public_log  all  --  anywhere             anywhereIN_public_deny  all  --  anywhere             anywhereIN_public_allow  all  --  anywhere             anywhere
Chain IN_public_allow (1 references)target     prot opt source               destinationACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEWACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp ctstate NEWACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t ctstate NEWACCEPT     udp  --  anywhere             anywhere             udp dpt:http ctstate NEW
Chain IN_public_deny (1 references)target     prot opt source               destination
Chain IN_public_log (1 references)target     prot opt source               destination
Chain OUTPUT_direct (1 references)target     prot opt source               destination[root at CENTOS7 ~]#
 

     On Monday, March 9, 2015 1:57 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
   

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Mark,

Please try the iptables rule then.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 09.03.2015 um 18:37 schrieb Mark M:
> Noel,
>
> Still having the same issue, here is a screenshot of what my traffic looks like - https://i.imgur.com/Svtbiyx.jpg
> 
> 
>    
> image <https://i.imgur.com/Svtbiyx.jpg>
>    
> 
>    
> 
>    
> 
>    
> 
>    
> 
> <https://i.imgur.com/Svtbiyx.jpg>
> View on i.imgur.com <https://i.imgur.com/Svtbiyx.jpg>
>    
> Preview by Yahoo
> 
>
>
>
> 192.168.1.7 is my strongSwan server and 192.168.9.1 is the virtual IP of my strongSwan client.
>
> Thanks,
>
> Mark-
>
>
> On Monday, March 9, 2015 11:57 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>
>
> Okay, then that's not it.
>
> Are there still fragments and ICMP messages from the gateway to the HTTP servers?
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 09.03.2015 um 15:34 schrieb Tobias Brunner:
> >> You use modular loading, so you need to set that in the
> >> file /etc/strongswan.d/charon/kernel-netlink.conf.
>
> > That's actually not the case.  The .conf files in the
> > strongswan.d/charon folder are simply included in the top-level
> > strongswan.conf file (as can be seen in the snippet Mark posted).
> > So it's perfectly fine to set options there (or in any of the included
> > file).
>
> > Regards,
> > Tobias
>
>
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU/d8FAAoJEDg5KY9j7GZYR5gP/is0nCDWc2FHBKdOzk13gn4K
h83GlazfzE0h7lfQHyHCwkw6rkXJx8Y5izwfhP09n3Y+VBT6HI8r+JY1r5AMEjC1
RZT3IuDPGS092S22SDVkKSCFR0sOnZiYkjqWZCt7SqoLP76Ws0U56UEoIPsN0zQM
nSoakXtZ/2Z3y07/d72P3HAME8W3Gdz9CP/p23JGQEzwsrqvN/I0gv/EN3KBR4kT
RySlJ4LK2HqSMkK82lgQoIBdwMFd3FgeSLCZbgrOXxWmz2HpgBgV0roOVGEY9iFB
mMkAccnLHpkT4H7HylNv/PQ1FDdvXH3tJX9S1MoYsSTB6+6iv1pdV3IaUQJ2lTJw
h5nh558hj8NjXpKR1WBclrb8NHb30p+V+eTCuio+RYfXnuaFR6Q/k5+JPUIcZPe+
fyw2QJ6RBHtFB8J2wIJte6ATfzJ2UegHX9EJVYcToubnMM1P/wkI6piF5buePt0y
eMO8x4MMBLi8QXQcHTrmiDhN+Xy8GcB8VCMVwVO+vG5ag7304rjzG5f/UZlB2m8Y
n2tnJ5gARPATNSGySVjs0Ko888/w0At9yMqHNZ+IJWmVSDVLk73iHB4nrlSm32JC
MLjn9Cy0vndqAZqgsgwTjpadz8kRGP/KzEpGZc4UX8lrUHCpB2hiyxX6yR/KqyBS
AXol3Nkv6orOeCDKOXo5
=uYs4
-----END PGP SIGNATURE-----



    

    

    

    

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150310/17cfb1a7/attachment-0001.html>


More information about the Users mailing list