Ipsec and mss-clamping. Is there a way to make them persistent?

Question

Hi all, I have an xgs 3100 firewall on which about 20 ipsec tunnels are attested. All these ipsec have fragmentation problems so I am forced to use mss-clamping. 
 
 For example without mss-clamping an icmp packet passes as long as I set a size of 1400, over 1400 it always expires. 
 iptables -t mangle -A POSTROUTING -o ipsec0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 
 
 Unfortunately this solution is not persistent on reboot and in any case it is difficult to manage. 
 I wonder if there is a way to make them persistent on reboot and on a firmware update, or if anyone has any suggestions for better methods for fragmentation problems in ipsec.

Mayur Makvana · Accepted Answer

Hello, 
 You may change the MSS of the LAN interface of the firewall. There will be disconnection once you changes it. 
 If you do not wish to change, I suggest raising the support case and they can help you add it to the startup script.

Srisakthi S · Answer

Yes, Route based tunnel type would be a better alternate here. XFRM interface MSS value can be managed from the GUI and is persistent across reboot.

Mayur Makvana · Answer

Hello, 
 Yes, that would be another option if you are looking to change from policy based to route based VPN. 
 docs.sophos.com/.../index.html

Ipsec and mss-clamping. Is there a way to make them persistent?

Top Replies