i have 2 sites vpn between Strongswan and Cisco 1841 , the vpn works well , but there is a problem , some of ssl website could not open , after some research it turned out that’s the mtu issue.
this is how i fix:
conf t int fa0/1 ip mtu 1500 int fa0/0 ip mtu 1500
In case of yahoo, i need to update this on strongswan server:
$ iptables -t mangle -A FORWARD -o eth0 \ -p tcp -m tcp --tcp-flags SYN,RST SYN \ -m tcpmss --mss 1361:1536 \ -j TCPMSS --set-mss 1360 $ echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc
For your reference:
MTU woes in IPsec tunnels and how you can fix it