-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Johannes,m Tobias and Listreaders,
I still have problems with hosts on the network that send packets with length > pmtu/mss and df bit set. That generates an ICMP HOST UNREACHABLE (FRAGMENTATION NEEDED) error message that is sent by the ds-lite gateway to the VPN endpoint in the LAN. Is there a way to relay that icmp error message to the original sender or force fragmentation on the VPN endpoint? Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 22.08.2014 um 12:26 schrieb Johannes Hubertz: > Hello Noel, Tobias and Listreaders. > > I'm oing on the strongswan gateway (4.5.2) based on Debian following > setting: > > iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280 > > Changing PCs behind the gateway is not neccessary. But it might be agood > idea to have the iptables on both ends of the IPsec-tunnel. > > That solves? perhaps more than I need, but it works well. > > Kind regards, happy working > Johannes > > > > On 22.08.2014 10:46, Noel Kuntze wrote: >> Hello Tobias, >> >> I tried the iptables commands on the VPN endpoint, which SNATs the >> connections to the internet, but that didn't work. >> What worked was doing it on the VPN initiator in my LAN, which connects to >> the internet over the other endpoint. No idea why only that works. >> Thanks! >> >> Regards, >> Noel Kuntze >> >> GPG Key id: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> Am 22.08.2014 um 10:29 schrieb Tobias Brunner: >>> Hi Noel, >> >>>> Is there a way to limit the mss that is encapsulated into the ESP packets >>>> and/or cause fragmentation on either of the endpoints? >> >>> You can do so via iptables [1] or the patches at [2]. >> >>> Regards, >>> Tobias >> >>> [1] http://lartc.org/howto/lartc.cookbook.mtu-mss.html >>> [2] https://wiki.strongswan.org/issues/632#note-14 >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJT+JBgAAoJEDg5KY9j7GZYdwAP/1HW2ifv7+m7fCc0MIU2sLYn NcBd5hDje65Q5d+rkYRPmtdHvL/bTE53jKZ7+0plU4xz78Z6eSZ8J7Xk0bEdYqIK EI9seQFbdU+XrsAr65KM7dKFRqIqjXiPVFro4Q/II6Qb7s3X48ZmCGR3Gh44uSqp sJ+JmVrUaywam8XwTXxUXx//lyEgS7FrmzW7pq9+b67WseLRft0aGazMTuHVdrGc V8If2dLPo/cwj30uagcz2Bx6FEhVezQ7EAWMQ3q/xlDrU5knmPn7rAE+MYEBH/XS ogpbYuJDhxQRwKtl//5O41pw79czAwDmUPsz/ExWXklDyhsIRBHEaYAQW7PTxOHd BhZfsYWnGP+PJl/ySieOaXp+Qgvj6hbf+w6t9MC1J185FyeOm6WcfIx8RIeSKn/l 5O8EviSqE5SZbcniLOGXG3Ur8z8q3c/VO/fk4ZNVKIqVf+cd28HPQHvLvUcbFzoG zPbOlsd5Kd77p/FOWqze//NYD9Ka+Iqe5OeALraajItWB9ztsBsQfIazTMvhWev8 YqMhAT7i4yUeSKxjz+gv3b5Bk9BoGGJQchX4ebWlkMsKFEICd1CYAP9mnCCRf0VW m8VDzz+BYz5kP/yREMeJCyVZBk3zb6UgpL8BGJr0C36880eOm/YjfjHfEp5CwEt1 U2PFAwHsISk5EljjcHyz =PdBL -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
