Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 2295 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue of MSS on IPSEC VPN [follow up]

jockyw2001

There is a well-known IPSEC VPN performance issue which can be resolved by adding this command:

iptables -I FORWARD 1 -o -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320

This command works fine from the console for me. In order to survive a reboot, I added it to /etc/init.d/iptables in the start section just below:
 iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

I rebooted the UTM and then checked with: iptables -n -L --line-numbers

I expected to see:

Chain FORWARD (policy DROP)

num  target     prot opt source               destination
1    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS set 1320
..
..

but there is no such line at all Disappointed

Does any of you know a solution? I'm running UTM 9.705

Best wishes,
JockyW



This thread was automatically locked due to age.
Parents
  • 0

    By running a script each minute via cron I finally got it to work.

    This is the script /root/iptables-tcp-mss.sh:
    #!/bin/bash
    iptables -C FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320 || iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320

    This is the cron job to be added in /etc/crontab-static and then cycle Up2date config from daily -> manual -> daily which then causes crontab to be updated:
    # Start custom iptables script every 1 minute
    * * * * * root /root/iptables-tcp-mss.sh

    Thx tom k. !

    EDIT: it is ncessary to reinit ipsec after updating tcp mss to 1320. So I added that to iptables-tcp-mss.sh :

    #!/bin/bash

    #iptables -C FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320 || iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320

    # or like this to initialize ipsec after setting mss to 1320:
    iptables -C FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320 ;
    if [ $? -eq 1 ];
    then
       iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
       /usr/local/bin/confd-client.plx set ipsec status 0
       wait $!
       /usr/local/bin/confd-client.plx set ipsec status 1
       wait $!
    fi



    It is ncessary to reinit ipsec after updating tcp mss to 1320. So I added that to iptables-tcp-mss.sh
    [edited by: jockyw2001 at 10:27 AM (GMT -7) on 30 May 2021]
Reply
  • 0

    By running a script each minute via cron I finally got it to work.

    This is the script /root/iptables-tcp-mss.sh:
    #!/bin/bash
    iptables -C FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320 || iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320

    This is the cron job to be added in /etc/crontab-static and then cycle Up2date config from daily -> manual -> daily which then causes crontab to be updated:
    # Start custom iptables script every 1 minute
    * * * * * root /root/iptables-tcp-mss.sh

    Thx tom k. !

    EDIT: it is ncessary to reinit ipsec after updating tcp mss to 1320. So I added that to iptables-tcp-mss.sh :

    #!/bin/bash

    #iptables -C FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320 || iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320

    # or like this to initialize ipsec after setting mss to 1320:
    iptables -C FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320 ;
    if [ $? -eq 1 ];
    then
       iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
       /usr/local/bin/confd-client.plx set ipsec status 0
       wait $!
       /usr/local/bin/confd-client.plx set ipsec status 1
       wait $!
    fi



    It is ncessary to reinit ipsec after updating tcp mss to 1320. So I added that to iptables-tcp-mss.sh
    [edited by: jockyw2001 at 10:27 AM (GMT -7) on 30 May 2021]
Children
  • 0 in reply to jockyw2001

    Interessant ! 

    What do you see in the IPsec log when the script runs?  Doesn't setting the ipsec status off/on cause existing IPsec connections to restart?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    All enabled IPsec connections will restart. The only purpose of the script is to manually set MSS and restart IPsec connections after a UTM reboot.

    Note: there is only a need for manually setting MSS if path MTU discovery doesn't work because of dropped ICMP packets in WAN

Unfiltered HTML