[strongSwan] NAT-T, SNAT/DNAT and TCP checksum incorrect on peer VPN gateway (site-to-site)
noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Apr 21 22:04:44 CEST 2020
Those are likely all false leads.
It's likely to be an MTU/MSS problem, which is described on the wiki.
Am 21.04.20 um 20:38 schrieb Narendra Joshi:
> I have setup an IPSec gateway on a virtual instance in a VPC using a cloud provider. The cloud provider has Elastic IPs that aren't attached to any network interface on the virtual instance so strongSwan uses NAT-T. Also I need to do SNAT/DNAT for mapping my side of the subnet that is advertised to my VPN peer.
> I have found that this setup causes very frequent TCP checksum failures. There are so frequent that an HTTP request fails ~50% of the time because TCP connect times out. It would be great if anyone who has faced something similar before can help me understand what is happening and how it can be avoided.
> Here is an image of the setup I have:
> Best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Users