[strongSwan] Packets get lost in one direction (MTU?)

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Nov 30 23:49:55 CET 2019

Hello Catscrash,

Please use the process described on the HelpRequests[1] page for getting help.
Your problem is a common one and it's been discussed several times already.
Also, please read the description of options before using them.
fragmentation=yes in ipsec.conf only pertains the activation and usage of IKE fragmentation (management traffic),
not the fragmentation on the IP (network) layer.

Kind regards


[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 30.11.19 um 23:31 schrieb Catscrash:
> Hi,
> I have an issue with one of my tunnels. On both side installed is strongswan 5.5.1-4+deb9u4 on Debian 9.
> Here is the config
> conn connection1
>         type=tunnel
>         left=IP_Server_A
>         leftsubnet=
>         leftfirewall=yes
>         leftid=IP_Server_A
>         right=IP_Server_B
>         rightsubnet=
>         rightid=IP_Server_B
>         auto=start
>         compress=yes
>         #Phase-1
>         keyexchange=ikev2
>         authby=secret
>         ike=aes256-sha256-modp4096
>         ikelifetime=24h
>         #Phase-2
>         keylife=1h
>         esp=aes256-sha256-modp4096
> Other side looks like that, with left and right switched.
> Ping works from A to B and from B to A.
> When I ssh from B to A, it works, but as soon as I have a larger terminal output the connection breaks.
> When I ssh from A to B, everything works fine.
> When I do a scp on server B to push a file to server A, everything works fine, even for huge files.
> When I do a scp on server B to pull a file from server A, it breaks after a few bytes and doesn't continue.
> I thought this sounds like a MTU issue. I tried setting fragmentation=yes, which did not help. The external interfaces on both sides have mtu 1500 set, at least that's what "ip link show" says.
> I tried to find out which MTU would work with the ping -M do -s command. And it seems everything above 1410 causes trouble. So I guess setting it to 1400 would be fine... But how? I'd rather not set the external interface MTU, since there are a lot of other tunnels on those servers that work just fine except for this one
> Thanks for any help!||||
> ||

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191130/cf2906ff/attachment.sig>

More information about the Users mailing list