[strongSwan] Intermittent MTU issue

Phil Frost phil at postmates.com
Fri Jun 1 18:42:39 CEST 2018

On Fri, Jun 1, 2018 at 11:51 AM Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> >
> > I'd also check that under no circumstances can the hosts exchange
> unencrypted traffic. This can happen for example if the tunnel goes down
> and there's nothing to block unencrypted traffic. "auto=route" is a good
> idea, as is blocking everything besides ESP with iptables.
> If you do that, nothing will work, because decapsulated packets are
> subject to iptables rules, too.

You're right, I hadn't considered a policy based tunnel. All of the tunnels
I administer use dynamic routing and a vti: the rules that block
unencrypted traffic apply only to the ethernet interface. (Incidentally the
tunnel interface makes packet captures easier.)

"auto=route" should work regardless.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180601/997b7076/attachment.html>

More information about the Users mailing list