Project

General

Profile

Issue #1025

Path MTU discovery

Added by Paulo Chiquito about 4 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.3.2
Resolution:
No change required

Description

Hi
Does StrongWan does Path MTU discovery when creanting an IPSEC connection?
Thanks

History

#1 Updated by Tobias Brunner about 4 years ago

  • Status changed from New to Feedback

Does StrongWan does Path MTU discovery when creanting an IPSEC connection?

IPsec processing (or possible PMTUD) is done by the Linux kernel. I don't know what the kernel does regarding PMTUD in relation to IPsec tunnels.

#2 Updated by Paulo Chiquito about 4 years ago

We have two machines on ethernet (MTU 1500) and IPSEC works fine in transport mode between them. When we route the connections through a GRE tunnel (MTU 1476) it stops working. I've tested the Path MTU discovery from both ends and it is working fine, so I'm wondering if StrongSwam is not able to reduce the MTU of the IPSEC connection to accomodate the reduced MTU of the link.
Is there a place that I can see what is the MTU that is being used for IPSec? Does it uses the MTU of the interface or it adjusts it as the kernel detects changes on the Path MTU?
thanks

#3 Updated by Tobias Brunner about 4 years ago

so I'm wondering if StrongSwam is not able to reduce the MTU of the IPSEC connection to accomodate the reduced MTU of the link.

As mentioned, strongSwan is not involved in this. This all happens in the Linux kernel. It's definitely possible that the combination of several encapsulating protocols (e.g. GRE+IPsec) is not handled automatically (if that is even possible - and it might depend on the kernel version).

Is there a place that I can see what is the MTU that is being used for IPSec?

There is no MTU directly associated with the IPsec tunnels (they are not interfaces). The DF flag on the original IP header will be preserved (also in tunnel mode), so PMTUD should still work in theory. The question is though how the kernel handles negative results.

Does it uses the MTU of the interface or it adjusts it as the kernel detects changes on the Path MTU?

Yes, I think it mainly depends on the MTU of the outbound interface (and perhaps the routes, as they can have their own MTU). How the kernel adjusts that if it receives ICMPs to that effect I'm not sure (might be temporary in the routing cache, but if tunneling is involved this might not work and not be propagated properly to other nodes behind the gateways).

You might have to manually reduce the MTU of the GRE interface to account for the IPsec overhead, or implement something like MSS clamping to fix this.

#4 Updated by John F about 4 years ago

What about setting the MTU in the kernel-netlink plugin? (strongswan.d/charon/kernel-netlink.conf)
You can then run 'ip route get to <IP address on the other end>' to find out the MTU of the route.

#5 Updated by Noel Kuntze about 2 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

This is described on the wiki now.

Also available in: Atom PDF