[strongSwan] Problem with MTU in IPSec Transport Mode

Noel Kuntze noel at familie-kuntze.de
Wed Jan 4 23:51:43 CET 2017


On 04.01.2017 23:45, Jan-Philipp Hülshoff wrote:

> (I suspect that the resulting encrypted packet will be larger than the mtu of the outgoing interface.) 
Yes.

> Is this behaviour intended? Is this use case supported or is it an unusual way to use ipsec transport mode in combination with NAT/routing?
Set charon.plugins.kernel-netlink.mtu to 1400 or lower. This causes creation with set MTU sizes, which causes the kernel to send ICMP errors when
packets are supposed to be routed using that route, but they're too large. You need to take the IPsec overhead into account. This setting
DOES NOT work when the sender of the IP packet drops ICMP errors (Instagram and the Twitter image servers drop ICMP errors).

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170104/ed08e6a9/attachment.sig>


More information about the Users mailing list