[Shorewall-users] ipsec policy matching in both directions to clamp TCP MSS

Thu, 04 May 2017 12:20:48 -0700 

I'm having an issue setting MSS=1300 for an ipsec host.  Depending on if I
define the zone to be "ipsec" or "ipv4" I can get incoming SYN or SYN,ACK to
hit the MSS rule, but not both.  I have FASTACCEPT=No.  It seems like iptables
thinks the originating packet from our LAN to the remote host matches "ipsec"
(due to ip xfrm policy), and the response outgoing packet is ipv4, since, by
the time it's been decoded and can match the address and TCP headers, it no
longer matches ipsec.

workstation A on 10.0.0.193/24 LAN      =>
gateway 10.0.0.1 running strongswan+shorewall   =>
remote ipsec peer =>
remote host B 10.88.127.66

For example with zones: viya ipv4 mss=1300:

        On A: 10.0.0.193.56750 > 10.1.0.159.22: Flags [S], cksum 0xb2d8 
(correct), seq 3938805331, win 29200, options [mss 1460,...
        On B: 50.244.222.1.56750 > 10.88.127.66.22: Flags [S], cksum 0x2e49 
(correct), seq 3938805331, win 29200, options [mss 1300,sackOK,TS val 3792543 
ecr 0,nop,wscale 7], length 0
        => initial request MSS has been clamped as intended

        On B: 10.88.127.66.22 > 50.244.222.1.56750: Flags [S.], cksum 0x9abe 
(incorrect -> 0xa961), seq 3878161065, ack 3938805332, win 28960, options [mss 
1460,sackOK,TS val 42635466 ecr 3792543,nop,wscale 7], length 0
        On A: 10.1.0.159.22 > 10.0.0.193.56750: Flags [S.], cksum 0x2e91 
(correct), seq 3878161065, ack 3938805332, win 28960, options [mss 
1460,sackOK,TS val 42635466 ecr 3792543,nop,wscale 7], length 0
        => response MSS was not clamped

And with zones: viya ipsec mss=1300:

        request seen by B: 50.244.222.1.56728 > 10.88.127.66.22: Flags [S], 
cksum 0x52d6 (correct), seq 2546006166, win 29200, options [mss 1460
        response seen by A: 10.1.0.159.22 > 10.0.0.193.56728: Flags [S.], cksum 
0x976f (correct), seq 224921005, ack 2546006167, win 28960, options [mss 1300

I was able to clamp MSS in both directions by creating two zones, one for ipsec
and one for ipv4.

Is it possible to do this without duplicate zones ?

I'm using shorewall 5.0.15.2, strongswan 5.5.1, and linux 3.13

Thanks in advance,
Justin

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to