I figured out what is going on i think. When strongSwan receives a 1514 byte
packet or one that is the full MTU from the outside website it does not have
anymore room to encapsulate it into an ESP packet to be sent back to the
client. I tried setting the MSS values and played around with he MTU
some more and it is still not working. Maybe I am setting the MSS wrong? on the
strongSwan eth0 interface i did "ip route add 192.168.1.1 dev
eth0 advmss 1400" and it still does not work?
Is this the problem with the received packets needing room for the ESP overhead?
Mark-
________________________________
From: Mark M <[email protected]>
To: "[email protected]" <[email protected]>
Sent: Saturday, July 21, 2012 1:14 PM
Subject: [strongSwan] IP Fragmentation problems on some websites
Hi,
I got my strongSwan gateway up and running. It is sitting behind my FIOS router
and acting as VPN gateway for roadwarrior/mobile clients. I thought everything
was working great until i noticed that some websites do not load. The first one
i found was yahoo.com. I fired up Wireshark and noticed when i receive packets
back from yahoo.com my strongSwan gateway sends Fragmentation needed ICMP
messages back.
Setting the MTU on my strongSwan gateway interfaces had no effect. I then set
the MTU on my verizon FIOS router to 1400 and some pages would start to work
ok, like yahoo.com would start to work but still others would not with the same
fragmentation problem.
Instead of putting the MTU on my FISO router way down and possibly have other
performance problems, is there an easy way to fix this?
Thanks for any help,
Mark-
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
