Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: MSS Clamping and IPsec Acceleration

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read was created to highlight a new KB that can help solve IPsec issues without disabling IPsec acceleration.

Symptom

Cause

The problem with the ICMP-dependent approach for PMTUD described is that it does not work if there are any network elements in the path that don’t generate the "ICMP Fragmentation Needed" message as needed or blocks such a message generated by another network element due to whatever reason, including security.

With SFOS 19.0, for IPsec remote access connections, this general PMTUD issue has been exacerbated further with the introduction of the IPsec acceleration feature, as the MTU on the virtual ipsec0 tunnel interface is reduced to the minimum MTU of the WAN interfaces configured on the appliance, due to another limitation related to the interaction between the DPIE on the host and the FastPath on the NPU.

 Resolution

The following are the available workarounds:
 

Configure MSS clamping

Configure MSS clamping for all TCP connections going through IPsec tunnels using iptables rules. The MSS value that needs to be configured on the ipsec0 tunnel interface is computed using the following formula:

mss = min(MTU of all WAN interfaces) - (ipsec overhead + ip_overhead + TCP overhead)

Assuming AES-256 with SHA1:
 

  • ipsec overhead = 73 bytes
  • ip_overhead = 20 for ipv4
  • tcp overhead = 60 bytes

Assuming the minimum WAN MTU on the appliance to be 1500, the MSS value needs to be configured to 1347:

mss = 1500 - (73 + 20 + 60)

And similarly, with ip_overhead for ipv6 being 40 bytes, the MSS value would be 1327:

mss = 1500 - (73 + 40 + 60)

MSS can be configured using the iptables or ip6tables commands via Advanced Shell and using the following rules:
 

  • iptables -t mangle -A POSTROUTING -o ipsec0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1347
  • ip6tables -t mangle -A POSTROUTING -o ipsec0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1327

Note that the iptables configuration above is not persistent across restarts, so one would have to add those commands every time the firewall is restarted for whatever reason. With 19.5 MR1, this configuration is added automatically during initialization.
 

Turn off IPsec Acceleration

Follow the steps described on the IPsec acceleration documentation page to turn off IPsec acceleration. This isn’t the desired option as it prevents the user from taking advantage of the processing power of NPU, which can offload traffic processing.
 

Configure a small value for MTU

This is the least feasible option for the administered endpoints in the network. Configure MTU to a reasonably small value that will avoid the need for fragmentation in the network.

KB

https://support.sophos.com/support/s/article/KB-000044840?language=en_US

Note: For any updates about this Recommended Read, always check the KB




Updated links to latest
[edited by: Raphael Alganes at 3:29 PM (GMT -8) on 15 Nov 2024]
Parents
  • Hello everyone, I have had a similar issue and the support solution was to change the MSS to 1300 only for networks that are in IPsec.

    ptables -t mangle -I POSTROUTING -d 192.190.4.121/32 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300;
    iptables -t mangle -I POSTROUTING -s 192.190.4.121/32 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300;

    Regards

Reply
  • Hello everyone, I have had a similar issue and the support solution was to change the MSS to 1300 only for networks that are in IPsec.

    ptables -t mangle -I POSTROUTING -d 192.190.4.121/32 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300;
    iptables -t mangle -I POSTROUTING -s 192.190.4.121/32 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300;

    Regards

Children
No Data