I found a temporary fix based on the MSS talk in LVS-Tun. It works and it has minimal impact - only modifies IPSec-transported traffic, which was one of my unstated needs, I wanted traffic that does not go over VPN to not have to suffer from a less efficient MSS. The real situation is like this:
Client1----ClientIPsec========ServerIPsec/LVS-----RealServer Client2---------------------------------/ This is the netfilter rule I came up with. It's an INPUT rule because IPSec reinserts the decrypted packets back on the external interface. iptables -I INPUT -p TCP -m policy --dir in --pol ipsec -m tcp --syn -m tcpmss --mss 1400: -j TCPMSS --set-mss 1400 This matches decrypted incoming SYN packets that have an MSS higher than 1400, and it clamps it down to 1400. That number comes from the stock MSS(1560) minus 56 bytes for IPSec header. I am only looking at higher MSS rather than blindly clamping it to 1400, in case the other end wants an even lower MSS. -- Laurentiu _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
