[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts
John Elliot
jj5 at jj5.net
Sat Jul 30 14:38:12 EST 2011
On 29/07/2011 8:08 AM, Nigel Sheridan-Smith wrote:
> Could be MSS / MTU related, if small packets get through, but large ones do
> not...
>
> http://en.wikipedia.org/wiki/Maximum_segment_size
> http://en.wikipedia.org/wiki/Maximum_transmission_unit
I'm going with this as the problem. Without ipsec enabled I can get a
max packet size of 1472, with it enabled the max packet size is 230.
I used,
$ ping -M do -s <packet size> <host>
to establish this. The MSS/MTU explains why connections establish but
then start dropping packets. I'm not sure if it's actually IP tables
that is dropping the packets, but that might explain why it seemed to be
dropping packets even though those packets matched ACCEPT rules.
So... how can I configure the MSS/MTU being used by IPSec connections?
Presumably larger packets need to be fragmented, and they're not being
fragmented. How can I fix that?
More information about the Progsoc
mailing list