Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-26-2014, 11:29 PM
|
#1
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Rep:
|
strongswan - set MTU size?
curious on how to restrict strongswan MTU size without reducing the MTU on the physical interface on which it's running. I'm finding lots of ways to do it via iptables MSS clamping, but that appears to only work for TCP; strongswan (5.1.3) appears to be using encapsulated UDP, as far as my packet captures can tell.
|
|
|
07-27-2014, 06:40 AM
|
#2
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Since IPsec doesn't use tunnel interfaces, the payload size is limited by the MTU of the outgoing interface (and the path MTU, obviously). Unless StrongSwan has a configuration parameter that can limit the payload size (and I don't think such a parameter exists), you're stuck with the interface MTU.
BTW, StrongSwan doesn't "use encapsulated UDP", it uses IPsec/ESP, which in turn may use IPsec NAT Traversal encapsulation (UDP port 4500) if NAT is detected or if you force NAT-T with the relevant parameter.
|
|
|
07-27-2014, 10:48 AM
|
#3
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
OK, that's what i thought. Thanks for the info.
As an aside, have you ever used Strongswan? If so, what do you think of it? Has it worked well for you?
|
|
|
07-27-2014, 11:10 AM
|
#4
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Quote:
Originally Posted by psycroptic
As an aside, have you ever used Strongswan? If so, what do you think of it? Has it worked well for you?
|
I've only just started using it, but so far it seems to work very well. It has an impressive list of features.
I can't say I'm perfectly happy with the configuration syntax (seriously, "left" and "right"? How about "local" and "remote"?), but all in all it wasn't too difficult to set up connections that would talk to other IPsec equipment.
|
|
|
07-27-2014, 11:23 AM
|
#5
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
word. Coming from OpenVPN, I am also finding its syntax more squirrely.
Have you tried using it with Android, specifically with the Strongswan app? im noticing lots of random disconnects there, sometimes requiring a phone reboot to be able to reconnect again
|
|
|
07-27-2014, 05:09 PM
|
#6
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
I haven't used the Android app, but I would suspect the cause of any instabilities to be on the Android side. strongSwan on x86 Linux seems rock solid.
|
|
|
07-27-2014, 05:21 PM
|
#7
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by Ser Olmy
strongSwan on x86 Linux seems rock solid.
|
yeah, same for me going from Linux to Win7.
|
|
|
All times are GMT -5. The time now is 09:06 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|