[strongSwan] Problem with MTU in IPSec Transport Mode
listmail at bklosr.de
Thu Jan 5 01:34:40 CET 2017
On 04.01.2017 23:51, Noel Kuntze wrote:
> On 04.01.2017 23:45, Jan-Philipp Hülshoff wrote:
>> (I suspect that the resulting encrypted packet will be larger than
the mtu of the outgoing interface.)
>> Is this behaviour intended? Is this use case supported or is it an
unusual way to use ipsec transport mode in combination with NAT/routing?
> Set charon.plugins.kernel-netlink.mtu to 1400 or lower.
done. tested. This does not work.
According to the documentation this will set the mtu for routes _added
by charon_. Charon does not alter the routing table in this scenario.
I would expect that this mtu-foo is done automagically in the linux
kernel. The error that I can see when pinging with a packet size that is
too large directly on the router should be transformed into the correct
icmp error and send back to the sender.
More information about the Users