-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/04/2017 11:51 AM, Justin Pryzby wrote: > I'm having an issue setting MSS=1300 for an ipsec host. Depending > on if I define the zone to be "ipsec" or "ipv4" I can get incoming > SYN or SYN,ACK to hit the MSS rule, but not both. I have > FASTACCEPT=No. It seems like iptables thinks the originating > packet from our LAN to the remote host matches "ipsec" (due to ip > xfrm policy), and the response outgoing packet is ipv4, since, by > the time it's been decoded and can match the address and TCP > headers, it no longer matches ipsec. > > workstation A on 10.0.0.193/24 LAN => gateway 10.0.0.1 running > strongswan+shorewall => remote ipsec peer => remote host B > 10.88.127.66 > > For example with zones: viya ipv4 mss=1300: > > On A: 10.0.0.193.56750 > 10.1.0.159.22: Flags [S], cksum 0xb2d8 > (correct), seq 3938805331, win 29200, options [mss 1460,... On B: > 50.244.222.1.56750 > 10.88.127.66.22: Flags [S], cksum 0x2e49 > (correct), seq 3938805331, win 29200, options [mss 1300,sackOK,TS > val 3792543 ecr 0,nop,wscale 7], length 0 => initial request MSS > has been clamped as intended > > On B: 10.88.127.66.22 > 50.244.222.1.56750: Flags [S.], cksum > 0x9abe (incorrect -> 0xa961), seq 3878161065, ack 3938805332, win > 28960, options [mss 1460,sackOK,TS val 42635466 ecr > 3792543,nop,wscale 7], length 0 On A: 10.1.0.159.22 > > 10.0.0.193.56750: Flags [S.], cksum 0x2e91 (correct), seq > 3878161065, ack 3938805332, win 28960, options [mss 1460,sackOK,TS > val 42635466 ecr 3792543,nop,wscale 7], length 0 => response MSS > was not clamped > > And with zones: viya ipsec mss=1300: > > request seen by B: 50.244.222.1.56728 > 10.88.127.66.22: Flags [S], > cksum 0x52d6 (correct), seq 2546006166, win 29200, options [mss > 1460 response seen by A: 10.1.0.159.22 > 10.0.0.193.56728: Flags > [S.], cksum 0x976f (correct), seq 224921005, ack 2546006167, win > 28960, options [mss 1300 > > I was able to clamp MSS in both directions by creating two zones, > one for ipsec and one for ipv4. > > Is it possible to do this without duplicate zones ? > > I'm using shorewall 5.0.15.2, strongswan 5.5.1, and linux 3.13 >
Sounds to me like you have an IPSEC configuration problem, with IPSEC only being used in one direction. - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJZC7VjAAoJEJbms/JCOk0Q+2EP/18kOom015uMAMHD30JXAklO OdCbh3vpldyE3voYH/PSGFjc2Ny9B6yBDogjAA3Atm57W/HI1x9t7NKAXQUeVZr9 hD9sfV8zb8XAW/ZY5RVhR3DgvYw/LcVVF43i1KdmJyLZGC+ZSCpUyjHrBn6CphSq TE8tDgl7sRvl51mM5PW5AgwrsQljcjh0QL3q15RakxTm23TYAgegISH0vxm3aWLt TykkLQEehHG+atRQFvUD3n3k2Ggqui8EF6r0NwW+qJqATQmRtwwgKbGB3Z3pIhi3 3Zv8/v325KjNKq3r1yAB0uenGB3wNHKjh+ojeruwR1/jP6I/bv51C1fUpD/O/hiC yiFnLcFHJij7RlT7FWRH/s3tJPFHyEsd3FMkvO+qRdEvVtQVciXMM2hvxt0GRKEu XuUpfLYz8xMV89+TW8o6DBGcoyotyUlI6HfcOGxSEY9hRkAyvjjnwb1KxV+dVv0D rd5hC50VS1Fq0MwvLhteNNfSZieSMuu0a1AMSFNBqbAvIOJnc1lDjX8tDthGGNKW LszSp8WO7vlvOadjfo8H99EimZrQRdQc56ASA2GVLG0dMVn1J/ipKzUjtUqS7rjb aGlfPTznmMrftHbKDEeGAM4RA8CP65PAenLox4A5ImQAqotD0Fx32Ks2CwkUsOzf 9oNWkELFSbD13i+pBRJR =MRET -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
