[strongSwan] Overriding DF on XFRM interfaces

John Marrett johnf at zioncluster.ca
Mon Jan 17 18:50:38 CET 2022 

Rajiv,

Thanks very much for taking the time to provide me with such a detailed
response.

Since I wrote this message I've established with the appliance vendor that
in general their systems should work properly with  adjusted MSS values and
respect icmp unreachable messages, while our specific system didn't they
were unable to reproduce the issue in their lab.



> d) Some things you need to check after applying the above mss-clamping.
>
> - Capture the tcp-session packets flowing between appliance1 and
> peer-router1 lan-interface, and
> - check whether the MSS value is being negotiated and set to 1240 OR are
> both appliances1/2 continue to set their MSS to 1460 ignoring the
> mss-clamping?
>
>
We have done this, the packets are adjusted as you would expect by our
rules.


>
> a) This i think can most probably done by "disabling pmtu-discovery" on
> both the appliances as below:
>
> "echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc"
> - this will ensure that the tcp/udp packets are NOT set with the df-bit
> flag
>
> b) The above should be possible on Linux/Unix systems if thats what the
> appliances are using.
>
>
We don't have the necessary access to the OS to make this change.


>
>
> c) So FYI, since you are using XFRMi interfaces with strongswan-ikev2 and
> specifically using swanctl.conf, you may please try the below setting for
> "clearing the df-bit flag in the outer-ip-hdr of the ESP packets"
>
>
> connections.<conn>.children.<child>.copy_df (since 5.7.0) yes(by default)
>
> - Whether to copy the DF bit to the outer IPv4 header in tunnel mode.
>
> set this as:
>
> connections.<conn>.children.<child>.copy_df=no
>
>
This is extremely interesting, I didn't notice this setting in my review of
the documentation and it looks like it's the setting that I need if the
appliances don't properly respect ICMP unreachables.

Thanks again for your time and for bringing this setting to my attention.

-JohnF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220117/0d5fce87/attachment.html>

More information about the Users mailing list