[strongSwan] Problem with MTU in IPSec Transport Mode

Jan-Philipp Hülshoff listmail at bklosr.de
Thu Jan 5 01:34:40 CET 2017

On 04.01.2017 23:51, Noel Kuntze wrote:
 > On 04.01.2017 23:45, Jan-Philipp Hülshoff wrote:
 >> (I suspect that the resulting encrypted packet will be larger than 
the mtu of the outgoing interface.)
 > Yes.
 >> Is this behaviour intended? Is this use case supported or is it an 
unusual way to use ipsec transport mode in combination with NAT/routing?
 > Set charon.plugins.kernel-netlink.mtu to 1400 or lower.
done. tested. This does not work.

According to the documentation this will set the mtu for routes _added 
by charon_. Charon does not alter the routing table in this scenario. 
Any hints?

I would expect that this mtu-foo is done automagically in the linux 
kernel. The error that I can see when pinging with a packet size that is 
too large directly on the router should be transformed into the correct 
icmp error and send back to the sender.

Kind regards
  Jan-Philipp Hülshoff

More information about the Users mailing list