On 10.04.2017 16:40, Zach Cutlip wrote: > Just to clarify: are you referring to > charon.plugins.kernel-netlink.mss and > charon.plugins.kernel-netlink.mtu?
No. You can set the MSS on the strongSwan host using iptables[1][2]. For the MTU. You very likely want to do that on the client. The strongSwan android app honors that. Setting charon.plugins.kernel-netlink.mss only has significance for connections that are initiated by the host running strongSwan and using charon.plugins.kernel-netlink.mtu just flat out breaks connectivity for IPsec peers with remote hosts that don't honor ICMP fragmentation needed messages (Instagram, for example). :( > Do the clients require any configuration change? See above. [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues [2] https://strongswan.net/blog/how-to-resolve-mtu-issue-with-ipsec-tunnel/ > > On Tue, Apr 4, 2017 at 11:59 AM, Noel Kuntze <[email protected]> wrote: >> Hello Zach, >> >> On 30.03.2017 07:58, Zach Cutlip wrote: >>> Hello, >>> >>> I'm using StrongSwan in a road warrior configuration that allows me to >>> VPN all my smartphone and laptop traffic through my home internet >>> connection. When I'm away from home, my devices automatically connect >>> from my MacBook and iPhone. >>> >>> This works really well, with speeds generally approaching my home >>> internet service's upstream limit of 10Mbps, which is the bottleneck. >>> >>> The only exception is when I'm on the commuter bus to and from work >>> using the bus's WiFi. The on-bus WiFi's speed without the VPN >>> connected is generally around 15-30 Mbps, as tested by fast.com (over >>> HTTPS, so caching shouldn't be an issue) as well as ssh/scp. However, >>> when I connect to the VPN while on the bus, the performance becomes >>> nearly unusable; less than 1Mbps, sometimes around a few hundred Kbps. >>> >>> In case it matters, I'm guessing the bus uses some sort of cellular >>> backhaul. The public IP address block belongs to Clearwire, which I >>> think is owned by Sprint. >>> >>> I'm not sure how I would begin troubleshooting this: >>> - Is there any particular way should I configure logging on either the >>> server or the client? >>> - Are there any particular things I should look for in the longs? >>> - Is there anything I should look for in packet captures either on the >>> client or the server? >>> - Any other things I should look for? >>> >>> Thanks, >>> Zach >> >> Try lowering the MSS and MTU inside the tunnel to >> >> 1200 and 1300. There might be some MSS fixing happening on the >> mobile backhaul. >> >> You can use the instructions from the wiki to get a good traffic dump. >> I guess there are simply a lot of retransmissions, because of the dropped >> packets and nothing more. Maybe the WiFi does aggressive QoS >> and drops all the ESP/UDPENCAP packets. >> >> -- >> >> Mit freundlichen Grüßen/Kind Regards, >> Noel Kuntze >> >> GPG Key ID: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> > > > -- :wq! > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
