Author Topic: MSS and IPSEC (Read 263 times)

olest · « **on:** March 30, 2021, 09:47:50 am »

Hi,

I have had a few new sites where I need to set MSS=1400 om LAN interface to get traffic through IPSEC tunnels.
Is that a "normal" problem?

goodomens42 · « **Reply #1 on:** April 08, 2021, 07:03:17 am »

I think it is, if one of your IPSEC Endpoints is using a MTU less than default 1500 and PMTU-Discovery is broken between endpoints. In all tunnels with one endpoint on our Hetzner servers I have to use use MSS=1300 as they are running with MTU 1400 due to Hetzner Virtual Switch VLAN's.

Ricardo · « **Reply #2 on:** April 08, 2021, 07:55:06 pm »

On opnsense router what metrics/counters indicate that my vpn tunnel speed problem happens because of MTU / fragmentation?

goodomens42 · « **Reply #3 on:** April 08, 2021, 10:06:24 pm »

In my experience MTU problems mostly manifest not as speed problems, but connections with larger paket sizes stalling. For example ping goes through, ssh hangs once you type 'ls' in a directory with many files

Ricardo · « **Reply #4 on:** April 09, 2021, 01:44:57 pm »

How about high amount of fragmentation due to tunnel MTU smaller than endpoint MTU, and the constant fragmentation/re-assembly that can kill throughput?

Aergan · « **Reply #5 on:** April 10, 2021, 11:07:15 am »

I set a Firewall normalisation rule for my IPSEC interface and set all traffic to Max MSS 1350 for that interface. That resolved it for my IPSEC tunnel to Azure (gleamed from their documentation).

Ricardo · « **Reply #6 on:** April 12, 2021, 06:05:54 am »

@Aergan: that "firewall normalisation" sounds plain chinese to me. What did you do exactly, any stepbystep guide to follow?

Author Topic: MSS and IPSEC (Read 263 times)

olest

MSS and IPSEC

goodomens42

Re: MSS and IPSEC

Ricardo

Re: MSS and IPSEC

goodomens42

Re: MSS and IPSEC

Ricardo

Re: MSS and IPSEC

Aergan

Re: MSS and IPSEC

Ricardo

Re: MSS and IPSEC