Hello Catscrash, Please use the process described on the HelpRequests[1] page for getting help. Your problem is a common one and it's been discussed several times already. Also, please read the description of options before using them. fragmentation=yes in ipsec.conf only pertains the activation and usage of IKE fragmentation (management traffic), not the fragmentation on the IP (network) layer.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Am 30.11.19 um 23:31 schrieb Catscrash: > Hi, > > I have an issue with one of my tunnels. On both side installed is strongswan > 5.5.1-4+deb9u4 on Debian 9. > > Here is the config > > conn connection1 > type=tunnel > left=IP_Server_A > leftsubnet=10.155.0.1/32 > leftfirewall=yes > leftid=IP_Server_A > right=IP_Server_B > rightsubnet=10.100.0.1/24 > rightid=IP_Server_B > auto=start > compress=yes > #Phase-1 > keyexchange=ikev2 > authby=secret > ike=aes256-sha256-modp4096 > ikelifetime=24h > #Phase-2 > keylife=1h > esp=aes256-sha256-modp4096 > > Other side looks like that, with left and right switched. > > Ping works from A to B and from B to A. > When I ssh from B to A, it works, but as soon as I have a larger terminal > output the connection breaks. > When I ssh from A to B, everything works fine. > > When I do a scp on server B to push a file to server A, everything works > fine, even for huge files. > > When I do a scp on server B to pull a file from server A, it breaks after a > few bytes and doesn't continue. > > I thought this sounds like a MTU issue. I tried setting fragmentation=yes, > which did not help. The external interfaces on both sides have mtu 1500 set, > at least that's what "ip link show" says. > > I tried to find out which MTU would work with the ping -M do -s command. And > it seems everything above 1410 causes trouble. So I guess setting it to 1400 > would be fine... But how? I'd rather not set the external interface MTU, > since there are a lot of other tunnels on those servers that work just fine > except for this one > > Thanks for any help!|||| > || >
signature.asc
Description: OpenPGP digital signature
