Hello Noel and Listreaders, if your gateway is sending esp packets which need to be fragmented, the only way to change this is by setting smaller mtu-sizes on the outgoing interfaces of those hosts, which are sending these ESP-packets. The behavior of ESP is totally independend from tcp-mss, sorry for my misreading of your first mail.
Pehaps you like to find out a maximum usable mtu-size by sending pings with icnreasing paket-sizes (-s xyz) while watching with tcpdump, whats coming back. Of course, icmp echo-request and echo-reply must not be filtered on your gateways in INPUT and OUTPUT chains. And you need to run tcpdump on the gateway(s) or on a router in between them. Happy working, Have fun! Johannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
