Hello Noel, Tobias and Listreaders. I'm oing on the strongswan gateway (4.5.2) based on Debian following setting:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280 Changing PCs behind the gateway is not neccessary. But it might be agood idea to have the iptables on both ends of the IPsec-tunnel. That solves? perhaps more than I need, but it works well. Kind regards, happy working Johannes On 22.08.2014 10:46, Noel Kuntze wrote: > Hello Tobias, > > I tried the iptables commands on the VPN endpoint, which SNATs the > connections to the internet, but that didn't work. > What worked was doing it on the VPN initiator in my LAN, which connects to > the internet over the other endpoint. No idea why only that works. > Thanks! > > Regards, > Noel Kuntze > > GPG Key id: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 22.08.2014 um 10:29 schrieb Tobias Brunner: >> Hi Noel, > >>> Is there a way to limit the mss that is encapsulated into the ESP packets >>> and/or cause fragmentation on either of the endpoints? > >> You can do so via iptables [1] or the patches at [2]. > >> Regards, >> Tobias > >> [1] http://lartc.org/howto/lartc.cookbook.mtu-mss.html >> [2] https://wiki.strongswan.org/issues/632#note-14 > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
