IPSec VPN - Path MTU

Steppenwolf,

mtu can be configured only on PPTP and L2TP from console:

set vpn l2tp mtu

For the Tunnel, you can try to use ifconfig tunname mtu xxxx but the problem is that the mtu setting is not persistent with reboot.

Let us know.

Regards

As far as I can see this is (currently) not available. MTU can only be set for interfaces so you would need to change MTU for the whole interface.

Thanks for your answers. I have only IPSec tunnel. I found an iptables command to set the MSS. I have found this one in the internet:

iptables -t mangle -I POSTROUTING -d 192.168.x.x/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300

This was working for me but not reboot persistent. Is there a way to run this command at boot time automatically? 

Will it be possible to set the MTU for IPSec in future releases? Is PMTU support for future versions planned?

Hej,

does anybody knows more about it? Is there a command to find the maximum MTU/MSS between two XGs?

Thanks.

Hello Steppenwolf,

you could try the following to make it persistent.

cd /scripts/system/clientpref/

vi customization_application_startup.sh

add your line in there.

An-Dir

Hej,

thank you very much. This worked for me, but only for reboots. It is not update persistent.

Hej,

i have multiple IPSec tunnel with an MTU smaller than 1500. The tunnel are up but some packets are not transmitted completely. I think the XG sends packets to the tunnel with the false MTU. Is Path MTU available in XG v17? 

Thanks.

Hello SteppenWolf

You can set the Override MSS on the WAN interface under Advanced Settings using the GUI. This will be used for your Site to Site tunnels. As you can see we have it configured.

There is also a KB about setting up Site to Site with Azure where the show where to sett the Override MSS if you would like to read more about it: https://community.sophos.com/kb/en-us/127546 

Best Regards

Rickard