[strongSwan] MTU problem?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Aug 12 22:05:16 CEST 2017


Hi,

Either peer will try to send packets with the maximum MTU of the route (pmtu discovery also has a play in it).

There can be a lot of problems. Try to fix the MSS and the MTU for the routes first. There are keys in strongswan.conf for that.
They are only significant for connections that are terminated or initiated by the host.

I strongly recommend stopping trying to guess what the problem is and taking a look what happens with the packets on
the wire and in the kernel. tcpdump, tshark, wireshark(-gtk) and the iptables LOG and TRACE targets are your friend.

To be able to help you, I need some traffic dumps and the things that are listed on the HelpRequests[1] page on the wiki.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Kind regards

Noel

On 09.08.2017 16:10, lejeczek wrote:
> hi everyone
>
> I'd like to ask - how MTU affects link/connection of a tunnel if MTUs on both ends are different?
>
> I'm asking because I'm seeing behaviour, symptoms which I think relate or are directly caused by:
>
> _Aclient(auto=1500) <=> server(out iface auto=1500), server other iface 10.10.10.100(mtu=8192)
>
> _Aclient vpns in fine, server's rightsourceip=10.10.10.220,10.10.10.221 and server is pingable from _Aclient as any other node on 10.10.10.0/24 is, but!
> _Aclient cannot ssh to the server nor can to any other node on 10.10.10.0/24
>
> Normally I'd blame, with high certainty, MTUs but because I only begin looking at Strongswan I'm looking for experts to share few thoughts and advices.
>
> many thanks, L.
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170812/7033d1df/attachment.sig>


More information about the Users mailing list