ipv4 ipv6 mtu mss size

In this case we have an gre tunnel inside an ikev2 tunnel inside an pppoe tunnel :-)


Get ipv4 mss with Linux host


Size 1339 error

ping -4 -n -c 2 -M do -s 1339 www.google.com
PING www.google.com (xxx.xxx.xxx.xxx) 1339(1367) bytes of data.
ping: local error: Message too long, mtu=1366
ping: local error: Message too long, mtu=1366

--- www.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1027ms

Size 1338 good

ping -4 -n -c 2 -M do -s 1338 www.google.com
PING www.google.com (xxx.xxx.xxx.xxx) 1338(1366) bytes of data.
76 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=52 (truncated)
76 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=52 (truncated)

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.926/31.966/32.006/0.040 ms

How to calculate ipv4 mss

ICMPv4 header size ([IPv4 + ICMP] [20 +8]) = 28
MTU ([Size + ICMPv4] [1338 + 28]) = 1366
IPv4TCP header size ([IPv4 + TCP] [20 +20]) = 40
TCP-MSS ([MTU – IPv4TCP] [1366 – 40]) = 1326


Mikrotik ipv4 tcp-mss clamping example

/ip firewall mangle
add action=change-mss chain=forward new-mss=1326 passthrough=yes protocol=tcp src-address=xxx.xxx.xxx.xxx tcp-flags=syn tcp-mss=1327-65535
add action=change-mss chain=forward dst-address=xxx.xxx.xxx.xxx new-mss=1326 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1327-65535


Get ipv6 mss with Linux host


Size 1319 error

ping -6 -n -c 2 -M do -s 1319 www.google.com

PING www.google.com(xxx:xxx:xxx:xxx::xxx) 1319 data bytes

--- www.google.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1004ms

Size 1318 good

ping -6 -n -c 2 -M do -s 1318 www.google.com
PING www.google.com(xxx:xxx:xxx:xxx::xxx) 1318 data bytes
76 bytes from xxx:xxx:xxx:xxx::xxx: icmp_seq=1 ttl=52 (truncated)
76 bytes from xxx:xxx:xxx:xxx::xxx: icmp_seq=2 ttl=52 (truncated)

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.501/31.733/31.966/0.292 ms

How to calculate ipv6 mss

ICMPv6 header size ([IPv6 + ICMP] [40 +8]) = 48
MTU ([Size + ICMPv6] [1318 + 48]) = 1366
IPv6TCP header size ([IPv6 + TCP] [40 +20]) = 60
TCP-MSS ([MTU – IPv6TCP] [1366 – 60]) = 1306


Mikrotik ipv6 tcp-mss clamping example

/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=1306 passthrough=yes protocol=tcp src-address=xxx:xxx:xxx:xxx::xxx/120 tcp-flags=syn tcp-mss=1307-65535
add action=change-mss chain=forward dst-address=xxx:xxx:xxx:xxx::xxx/120 new-mss=1306 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1307-65535

Have fun!

strongswan ipsec xauth howto

hi

I want to setup a ipsec tunnel from my desktop pc to one of my root servers to change my official ip address. I’m using ubuntu 14.04 on server and client.

on the root server you need following:
1) firewall with nat enabled
change tcp mss (might not be neccessary)
2) ip forwarding enabled
3) configure strongswan on your root server
4) configure strongswan on your client (ubuntu and android 4.4)

1) firewall:

#accept ipsec
iptables -A INPUT -p UDP --dport 500 -j ACCEPT
iptables -A INPUT -p UDP --dport 4500 -j ACCEPT
#activate nat
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE
#change tcp mss to avoid mtu problems with https websites
iptables -t mangle -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

2) ip forwarding:

vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

3) config of my strongswan server:

aptitude install strongswan strongswan-plugin-xauth-generic

vim /etc/ipsec.conf
conn yourconnectionname
 keyexchange=ikev1
 authby=xauthpsk
 xauth=server
 left=%defaultroute
 leftsubnet=0.0.0.0/0
 leftfirewall=yes
 right=%any
 rightsubnet=192.168.201.0/24
 rightsourceip=192.168.201.1/24
 rightdns=8.8.8.8
 auto=add
vim /etc/ipsec.secrets
ipofyourserver %any : PSK "yourpassword"
yourusername : XAUTH "yourxauthpassword"

now enable ip-forwarding and restart strongswan:

echo 1 > /proc/sys/net/ipv4/ip_forward
service strongswan restart

4) config of my desktop pc:

vim /etc/ipsec.conf
conn yourconnectionname
 keyexchange=ikev1
 left=%defaultroute
 leftsourceip=%config
 leftfirewall=yes
 leftauth=psk
 leftauth2=xauth
 leftid=yourusername
 right=ipofyourserver
 rightsubnet=0.0.0.0/0
 rightauth=psk
 auto=add
vim /etc/ipsec.secrets
: PSK "yourpassword"
yourusername : XAUTH "yourxauthpassword"

now restart strongswan on your desktop pc:

service strongswan restart

and start the vpn tunnel manually via:

ipsec up yourconnectionname

You are also able to use your android phone to connect via ipsec-xauth-psk:
Just go to: Settings -> Wireless & Networks -> More -> VPN -> +

Name: yourconnectionname
Type: IPSec Xauth PSK
Serveraddress: yourservername or ip address
IPSec-Key: yourpassword (PSK)

Afterwords you have to open the new VPN connection where you get asked about the user password credentials.

Hint: On CM12 with my Samsung Galaxy S4 mini. The phone reboots with ipsec xauth. Seems to be a bug. L2TP IPSec works perfect with CM12 and Samsung Galaxy S4 mini.

Hint2: On Archlinux suddenly rightsubnet=0.0.0.0/0 stopped to work as client. (No outbound ipsec traffic) I’ve simply added a route to my netctl config. Routes=(‘IpOfVpnGateway via YourDefaultGateway table 220’)
Seems the vpn gateway is getting tunnled also.

Have fun!