[Openswan Users] PMTU issues

Benny Amorsen benny+usenet at amorsen.dk
Fri May 23 07:47:06 EDT 2008

"David L. Cathey" <davidc at montagar.com> writes:

> So far, the only thing that seems to have helped is setting
> net.ipv4.ip_no_pmtu_disc=1 and avoiding PMTU altogether.

If you can live with only solving the problem for TCP, I have had luck

-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380

in netfilter on the VPN server.

That forces all forwarded TCP sessions to a MSS of 1380.

I am not sure that you actually want "handle fragmentation" turned on
with SonicWall. It may be worth it to turn that off, in order to let
the hosts handle it themselves.


More information about the Users mailing list