[strongSwan] Tunnel over [slow] GPRS link

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue May 2 09:40:06 CEST 2017


Neither of the settings you mentioned (or the iptables target) will affect the IKE negotiation.
The setting only affects the MTU or MSS of the installed routes (as the manual says), not
the sending of the IKE packets.

On 02.05.2017 07:48, Alexander Hill wrote:
> I changed my configuration on the mobile initiator side only.
>
> You're right about the MSS only affecting TCP - but my understanding is that it affects the size of packets before encapsulation in UDP, so your final, encapsulated UDP packets also end up smaller.
>
> Cheers,
> Alex
>
> On Tue, 2 May 2017 at 13:40 Rene Maurer <renemaur at gmail.com <mailto:renemaur at gmail.com>> wrote:
>
>     Hello Alex
>
>     Alexander Hill <alex at hill.net.au <mailto:alex at hill.net.au>> wrote:
>
>     > It sounds like an issue with that provider's network configuration
>     > rather than with the bandwidth or latency.
>
>     This is my opinion as well.
>
>     > Try lowering MTU/MSS with either the
>     > charon.plugins.kernel-netlink.mss/mtu settings or via iptables.
>
>     I have tried to lower MTU. Without success so far.
>     I may try MSS as well, but as far as I know MSS is only relevant for
>     TCP not UDP (which is used by IKE).
>
>     BTW, should MSS/MTU be lowered at both sides of the tunnel or is it
>     enough when this is done at the Mobile Modem side?
>
>     > https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues
>
>     Thanks for the link.
>
>     Kind regrads
>     René
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170502/16278667/attachment.sig>


More information about the Users mailing list