Hi, the 'overridemtu' was used by FreeS/WANs own KLIPS IPsec stack and has in fact been deprecated with the native NETKEY IPsec stack of the Linux 2.6 kernel. The best way to avoid IP fragmentation problems is by enabling PMTU (Path MTU discovery) by setting the "do not fragment" (DF) bit in IP packets and allowing the forwarding of the "fragmentation required" ICMP (type 3, subtype 4) notifications in all firewalls in between.
Regards Andreas Reid Stidolph wrote: > I am looking for a way to modify the MTU on the virtual tunnel interface. > It seemed like there was a depricated setting 'overridemtu' that could be > configured in ipsec.conf. However, when I configure: > > conn home > left=192.168.1.30 > leftsourceip=%config > eap_identity=xxxxxxx > leftid=xxxxxxx > leftauth=eap > leftfirewall=yes > right=192.168.1.2 > rightid=192.168.1.2 > rightsubnet=172.16.90.0/24 > auto=add > ike=3des-sha1-md5-modp1024 > overridemtu=1300 > > I get the following: > > r...@shuttle2:/usr/local/etc# ipsec start > Starting strongSwan 4.3.5 IPsec [starter]... > charon is already running (/var/run/charon.pid exists) -- skipping charon > start > # unsupported keyword 'overridemtu' in conn 'home' > ### 1 parsing error (0 fatal) ### > > What is the proper way to set tunnel MTU? > > I am needing to reduce tunnel MTU sizes, in order to prevent ESP/UDP > fragmentation (due to exceeding the ethernet interface MTU). Re-assymbly of > large amounts of ESP/UDP packets is burdening my gateway network processors. > > Help is greatly appreciated. ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
