Hi, Either peer will try to send packets with the maximum MTU of the route (pmtu discovery also has a play in it).
There can be a lot of problems. Try to fix the MSS and the MTU for the routes first. There are keys in strongswan.conf for that. They are only significant for connections that are terminated or initiated by the host. I strongly recommend stopping trying to guess what the problem is and taking a look what happens with the packets on the wire and in the kernel. tcpdump, tshark, wireshark(-gtk) and the iptables LOG and TRACE targets are your friend. To be able to help you, I need some traffic dumps and the things that are listed on the HelpRequests page on the wiki.  https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Kind regards Noel On 09.08.2017 16:10, lejeczek wrote: > hi everyone > > I'd like to ask - how MTU affects link/connection of a tunnel if MTUs on both > ends are different? > > I'm asking because I'm seeing behaviour, symptoms which I think relate or are > directly caused by: > > _Aclient(auto=1500) <=> server(out iface auto=1500), server other iface > 10.10.10.100(mtu=8192) > > _Aclient vpns in fine, server's rightsourceip=10.10.10.220,10.10.10.221 and > server is pingable from _Aclient as any other node on 10.10.10.0/24 is, but! > _Aclient cannot ssh to the server nor can to any other node on 10.10.10.0/24 > > Normally I'd blame, with high certainty, MTUs but because I only begin > looking at Strongswan I'm looking for experts to share few thoughts and > advices. > > many thanks, L. >
Description: OpenPGP digital signature