[strongSwan] Some sites don't load or timeout because of IP fragmentation problems
Mark M
mark076h at yahoo.com
Tue Mar 10 09:21:09 CET 2015
It looks like I have to enter this from the command line - iptables -t mangle -A FORWARD -o enp0s3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1300:1536 -j TCPMSS --set-mss 1300
Seems to solve the MSS issue, but now sites take a VERY long time to load and will sometimes timeout. I see a lot of TCP Retransmission messages. Any ideas?
On Tuesday, March 10, 2015 4:06 AM, Mark M <mark076h at yahoo.com> wrote:
for some reason it stopped working after I restarted the server,
On Tuesday, March 10, 2015 1:45 AM, Mark M <mark076h at yahoo.com> wrote:
I found that this iptables rule works-
-A FORWARD -o enp0s3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1300:1536 -j TCPMSS --set-mss 1300
Now I am seeing a lot of TCP Retransmissions packets and sites are slow to slow. Any ideas?
On Tuesday, March 10, 2015 1:06 AM, Mark M <mark076h at yahoo.com> wrote:
I confirmed with Wireshark that is advertises a MSS above 1300 for some reason. Something strange is going on here, why would both methods not work?
On Tuesday, March 10, 2015 12:24 AM, Mark M <mark076h at yahoo.com> wrote:
I removed firewalld to make it more simple, here is what it looks like and still no luck-
[root at CENTOS7 ~]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT icmp -- anywhere anywhereACCEPT all -- anywhere anywhereACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sshACCEPT udp -- anywhere anywhere udp dpt:isakmpACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-tREJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)target prot opt source destinationACCEPT all -- 192.168.9.1 anywhere policy match dir in pol ipsec reqid 1 proto espACCEPT all -- anywhere 192.168.9.1 policy match dir out pol ipsec reqid 1 proto espACCEPT all -- anywhere anywhereTCPMSS tcp -- 192.168.9.0/24 anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300TCPMSS tcp -- 192.168.1.0/24 anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300
Chain OUTPUT (policy ACCEPT)target prot opt source destination[root at CENTOS7 ~]#
On Monday, March 9, 2015 9:57 PM, Mark M <mark076h at yahoo.com> wrote:
Noel,
Does not seem to be working but I don't know if it is configured properly, i think firewalld makes it a mess. Does this look right?
[root at CENTOS7 ~]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHEDACCEPT all -- anywhere anywhereINPUT_direct all -- anywhere anywhereINPUT_ZONES_SOURCE all -- anywhere anywhereINPUT_ZONES all -- anywhere anywhereACCEPT icmp -- anywhere anywhereREJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)target prot opt source destinationACCEPT all -- 192.168.9.1 anywhere policy match dir in pol ipsec reqid 2 proto espACCEPT all -- anywhere 192.168.9.1 policy match dir out pol ipsec reqid 2 proto espACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHEDACCEPT all -- anywhere anywhereFORWARD_direct all -- anywhere anywhereFORWARD_IN_ZONES_SOURCE all -- anywhere anywhereFORWARD_IN_ZONES all -- anywhere anywhereFORWARD_OUT_ZONES_SOURCE all -- anywhere anywhereFORWARD_OUT_ZONES all -- anywhere anywhereACCEPT icmp -- anywhere anywhereREJECT all -- anywhere anywhere reject-with icmp-host-prohibitedTCPMSS tcp -- 192.168.1.0/24 anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300TCPMSS tcp -- 192.168.9.0/24 anywhere tcp flags:SYN,RST/SYN TCPMSS set 1300
Chain OUTPUT (policy ACCEPT)target prot opt source destinationOUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)target prot opt source destinationFWDI_public all -- anywhere anywhere [goto]FWDI_public all -- anywhere anywhere [goto]FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)target prot opt source destinationFWDO_public all -- anywhere anywhere [goto]FWDO_public all -- anywhere anywhere [goto]FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)target prot opt source destination
Chain FORWARD_direct (1 references)target prot opt source destination
Chain FWDI_public (3 references)target prot opt source destinationFWDI_public_log all -- anywhere anywhereFWDI_public_deny all -- anywhere anywhereFWDI_public_allow all -- anywhere anywhere
Chain FWDI_public_allow (1 references)target prot opt source destination
Chain FWDI_public_deny (1 references)target prot opt source destination
Chain FWDI_public_log (1 references)target prot opt source destination
Chain FWDO_public (3 references)target prot opt source destinationFWDO_public_log all -- anywhere anywhereFWDO_public_deny all -- anywhere anywhereFWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)target prot opt source destination
Chain FWDO_public_deny (1 references)target prot opt source destination
Chain FWDO_public_log (1 references)target prot opt source destination
Chain INPUT_ZONES (1 references)target prot opt source destinationIN_public all -- anywhere anywhere [goto]IN_public all -- anywhere anywhere [goto]IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)target prot opt source destination
Chain INPUT_direct (1 references)target prot opt source destination
Chain IN_public (3 references)target prot opt source destinationIN_public_log all -- anywhere anywhereIN_public_deny all -- anywhere anywhereIN_public_allow all -- anywhere anywhere
Chain IN_public_allow (1 references)target prot opt source destinationACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEWACCEPT udp -- anywhere anywhere udp dpt:isakmp ctstate NEWACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t ctstate NEWACCEPT udp -- anywhere anywhere udp dpt:http ctstate NEW
Chain IN_public_deny (1 references)target prot opt source destination
Chain IN_public_log (1 references)target prot opt source destination
Chain OUTPUT_direct (1 references)target prot opt source destination[root at CENTOS7 ~]#
On Monday, March 9, 2015 1:57 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Mark,
Please try the iptables rule then.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 09.03.2015 um 18:37 schrieb Mark M:
> Noel,
>
> Still having the same issue, here is a screenshot of what my traffic looks like - https://i.imgur.com/Svtbiyx.jpg
>
>
>
> image <https://i.imgur.com/Svtbiyx.jpg>
>
>
>
>
>
>
>
>
>
>
> <https://i.imgur.com/Svtbiyx.jpg>
> View on i.imgur.com <https://i.imgur.com/Svtbiyx.jpg>
>
> Preview by Yahoo
>
>
>
>
> 192.168.1.7 is my strongSwan server and 192.168.9.1 is the virtual IP of my strongSwan client.
>
> Thanks,
>
> Mark-
>
>
> On Monday, March 9, 2015 11:57 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>
>
> Okay, then that's not it.
>
> Are there still fragments and ICMP messages from the gateway to the HTTP servers?
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 09.03.2015 um 15:34 schrieb Tobias Brunner:
> >> You use modular loading, so you need to set that in the
> >> file /etc/strongswan.d/charon/kernel-netlink.conf.
>
> > That's actually not the case. The .conf files in the
> > strongswan.d/charon folder are simply included in the top-level
> > strongswan.conf file (as can be seen in the snippet Mark posted).
> > So it's perfectly fine to set options there (or in any of the included
> > file).
>
> > Regards,
> > Tobias
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJU/d8FAAoJEDg5KY9j7GZYR5gP/is0nCDWc2FHBKdOzk13gn4K
h83GlazfzE0h7lfQHyHCwkw6rkXJx8Y5izwfhP09n3Y+VBT6HI8r+JY1r5AMEjC1
RZT3IuDPGS092S22SDVkKSCFR0sOnZiYkjqWZCt7SqoLP76Ws0U56UEoIPsN0zQM
nSoakXtZ/2Z3y07/d72P3HAME8W3Gdz9CP/p23JGQEzwsrqvN/I0gv/EN3KBR4kT
RySlJ4LK2HqSMkK82lgQoIBdwMFd3FgeSLCZbgrOXxWmz2HpgBgV0roOVGEY9iFB
mMkAccnLHpkT4H7HylNv/PQ1FDdvXH3tJX9S1MoYsSTB6+6iv1pdV3IaUQJ2lTJw
h5nh558hj8NjXpKR1WBclrb8NHb30p+V+eTCuio+RYfXnuaFR6Q/k5+JPUIcZPe+
fyw2QJ6RBHtFB8J2wIJte6ATfzJ2UegHX9EJVYcToubnMM1P/wkI6piF5buePt0y
eMO8x4MMBLi8QXQcHTrmiDhN+Xy8GcB8VCMVwVO+vG5ag7304rjzG5f/UZlB2m8Y
n2tnJ5gARPATNSGySVjs0Ko888/w0At9yMqHNZ+IJWmVSDVLk73iHB4nrlSm32JC
MLjn9Cy0vndqAZqgsgwTjpadz8kRGP/KzEpGZc4UX8lrUHCpB2hiyxX6yR/KqyBS
AXol3Nkv6orOeCDKOXo5
=uYs4
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150310/786ca60e/attachment-0001.html>
More information about the Users
mailing list