Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Ipsec and mss-clamping. Is there a way to make them persistent?

Hi all,
I have an xgs 3100 firewall on which about 20 ipsec tunnels are attested.
All these ipsec have fragmentation problems so I am forced to use mss-clamping.

 

For example without mss-clamping an icmp packet passes as long as I set a size of 1400, over 1400 it always expires.

iptables -t mangle -A POSTROUTING -o ipsec0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400

Unfortunately this solution is not persistent on reboot and in any case it is difficult to manage.

I wonder if there is a way to make them persistent on reboot and on a firmware update, or if anyone has any suggestions for better methods for fragmentation problems in ipsec.



Edited TAGs
[edited by: Erick Jan at 1:05 AM (GMT -7) on 14 Oct 2024]
Parents Reply Children