Strongswan: IPsec VPN – https error

i have 2 sites vpn between Strongswan and Cisco 1841 , the vpn works well , but there is a problem , some of ssl website could not open , after some research it turned out that’s the mtu issue.

this is how i fix:

conf t
int fa0/1
ip mtu 1500
int fa0/0
ip mtu 1500

In case of yahoo, i need to update this on strongswan server:

$ iptables -t mangle -A FORWARD -o eth0 \
-p tcp -m tcp --tcp-flags SYN,RST SYN \
-m tcpmss --mss 1361:1536 \
-j TCPMSS --set-mss 1360

$ echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc

For your reference:

MTU woes in IPsec tunnels and how you can fix it

Leave a Reply

Your email address will not be published. Required fields are marked *