[strongSwan] Packets get lost in one direction (MTU?)
Catscrash
catscrash at catscrash.de
Sat Nov 30 23:31:15 CET 2019
Hi,
I have an issue with one of my tunnels. On both side installed is
strongswan 5.5.1-4+deb9u4 on Debian 9.
Here is the config
conn connection1
type=tunnel
left=IP_Server_A
leftsubnet=10.155.0.1/32
leftfirewall=yes
leftid=IP_Server_A
right=IP_Server_B
rightsubnet=10.100.0.1/24
rightid=IP_Server_B
auto=start
compress=yes
#Phase-1
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp4096
ikelifetime=24h
#Phase-2
keylife=1h
esp=aes256-sha256-modp4096
Other side looks like that, with left and right switched.
Ping works from A to B and from B to A.
When I ssh from B to A, it works, but as soon as I have a larger
terminal output the connection breaks.
When I ssh from A to B, everything works fine.
When I do a scp on server B to push a file to server A, everything works
fine, even for huge files.
When I do a scp on server B to pull a file from server A, it breaks
after a few bytes and doesn't continue.
I thought this sounds like a MTU issue. I tried setting
fragmentation=yes, which did not help. The external interfaces on both
sides have mtu 1500 set, at least that's what "ip link show" says.
I tried to find out which MTU would work with the ping -M do -s command.
And it seems everything above 1410 causes trouble. So I guess setting it
to 1400 would be fine... But how? I'd rather not set the external
interface MTU, since there are a lot of other tunnels on those servers
that work just fine except for this one
Thanks for any help!||||
||
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191130/f7df84bd/attachment.html>
More information about the Users
mailing list