[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts

John Elliot jj5 at jj5.net
Sat Jul 30 14:38:12 EST 2011

On 29/07/2011 8:08 AM, Nigel Sheridan-Smith wrote:
> Could be MSS / MTU related, if small packets get through, but large ones do
> not...
> http://en.wikipedia.org/wiki/Maximum_segment_size
> http://en.wikipedia.org/wiki/Maximum_transmission_unit

I'm going with this as the problem. Without ipsec enabled I can get a 
max packet size of 1472, with it enabled the max packet size is 230.

I used,

  $ ping -M do -s <packet size> <host>

to establish this. The MSS/MTU explains why connections establish but 
then start dropping packets. I'm not sure if it's actually IP tables 
that is dropping the packets, but that might explain why it seemed to be 
dropping packets even though those packets matched ACCEPT rules.

So... how can I configure the MSS/MTU being used by IPSec connections? 
Presumably larger packets need to be fragmented, and they're not being 
fragmented. How can I fix that?

More information about the Progsoc mailing list