I found a temporary fix based on the MSS talk in LVS-Tun. It works and
it has minimal impact - only modifies IPSec-transported traffic, which
was one of my unstated needs, I wanted traffic that does not go over VPN
to not have to suffer from a less efficient MSS. The real situation is
This is the netfilter rule I came up with. It's an INPUT rule because
IPSec reinserts the decrypted packets back on the external interface.
iptables -I INPUT -p TCP -m policy --dir in --pol ipsec -m tcp --syn -m
tcpmss --mss 1400: -j TCPMSS --set-mss 1400
This matches decrypted incoming SYN packets that have an MSS higher than
1400, and it clamps it down to 1400. That number comes from the stock
MSS(1560) minus 56 bytes for IPSec header. I am only looking at higher
MSS rather than blindly clamping it to 1400, in case the other end wants
an even lower MSS.