Re: [lvs-users] IPsec and LVS-NAT: fragmentation issue

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] IPsec and LVS-NAT: fragmentation issue
From: "Laurentiu C. Badea (L.C.)" <lc@xxxxxxxx>
Date: Fri, 19 Sep 2008 16:10:54 -0700
I found a temporary fix based on the MSS talk in LVS-Tun. It works and 
it has minimal impact - only modifies IPSec-transported traffic, which 
was one of my unstated needs, I wanted traffic that does not go over VPN 
to not have to suffer from a less efficient MSS. The real situation is 
like this:


This is the netfilter rule I came up with. It's an INPUT rule because 
IPSec reinserts the decrypted packets back on the external interface.

iptables -I INPUT -p TCP -m policy --dir in --pol ipsec -m tcp --syn -m 
tcpmss --mss 1400: -j TCPMSS --set-mss 1400

This matches decrypted incoming SYN packets that have an MSS higher than 
1400, and it clamps it down to 1400. That number comes from the stock 
MSS(1560) minus 56 bytes for IPSec header. I am only looking at higher 
MSS rather than blindly clamping it to 1400, in case the other end wants 
an even lower MSS.


<Prev in Thread] Current Thread [Next in Thread>