Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 23293 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN - Path MTU

Steppenwolf

Hej,

i have multiple IPSec tunnel with an MTU smaller than 1500. The tunnel are up but some packets are not transmitted completely. I think the XG sends packets to the tunnel with the false MTU. Is Path MTU available in XG v17? 

Thanks.



This thread was automatically locked due to age.
  • 0

    Steppenwolf,

    mtu can be configured only on PPTP and L2TP from console:

    set vpn l2tp mtu

    For the Tunnel, you can try to use ifconfig tunname mtu xxxx but the problem is that the mtu setting is not persistent with reboot.

    Let us know.

    Regards

  • 0

    As far as I can see this is (currently) not available. MTU can only be set for interfaces so you would need to change MTU for the whole interface.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Thanks for your answers. I have only IPSec tunnel. I found an iptables command to set the MSS. I have found this one in the internet:

    iptables -t mangle -I POSTROUTING -d 192.168.x.x/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300

    This was working for me but not reboot persistent. Is there a way to run this command at boot time automatically? 

    Will it be possible to set the MTU for IPSec in future releases? Is PMTU support for future versions planned?

    With best regards,

    Steppenwolf

  • 0 in reply to Steppenwolf

    Hej,

    does anybody knows more about it? Is there a command to find the maximum MTU/MSS between two XGs?

    Thanks.

    With best regards,

    Steppenwolf

  • 0 in reply to Steppenwolf

    Hello Steppenwolf,

    you could try the following to make it persistent.

    cd /scripts/system/clientpref/

    vi customization_application_startup.sh

    add your line in there.

     

    An-Dir

  • 0 in reply to An-Dir

    Hej,

    thank you very much. This worked for me, but only for reboots. It is not update persistent.

    With best regards,

    Steppenwolf

  • +1

    Hej,

    i have multiple IPSec tunnel with an MTU smaller than 1500. The tunnel are up but some packets are not transmitted completely. I think the XG sends packets to the tunnel with the false MTU. Is Path MTU available in XG v17? 

    Thanks.

     

     

    Hello SteppenWolf

     

    You can set the Override MSS on the WAN interface under Advanced Settings using the GUI. This will be used for your Site to Site tunnels. As you can see we have it configured.

     

    There is also a KB about setting up Site to Site with Azure where the show where to sett the Override MSS if you would like to read more about it: https://community.sophos.com/kb/en-us/127546 

     

    Best Regards

    Rickard

Cookie Information Banner