[Swan] Tunnel behind NAT: large packets freeze it

[Davide Pucci]

Thank you for the informations.
After long time, some concrete needs brought me to retry to fix the problem, and it seems I managed to do it.
First attempt to find correct MTU (MSS) has been done with `ping -M do -s 1500 192.168.1.1` (from a local machine under the tunnel to another one from the other side), decreasing from time to time that 1500, until I got no warning about fragmentation.
That seemed to be 1394.
Once there, I inserted the following rule on the VPN routers:
 > iptables -t mangle -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -d 192.168.1.0/24 -m tcpmss --mss 1395:1500 -j TCPMSS --set-mss 1394
Where eth1 is the outgoing interface and 192.168.1.0/24 is the subnet on the other side of the tunnel.
Then, SSHed on the 192.168.1.1 and start typing common commands that previously made the issue appear: part of the issues where actually solved, but in some cases kept existing.
So, on both tunnel sides gateways, dumped traffic on the tunnel using tcpdump and retried with the failing cases: these dumps revealed that, when the packets transfer quickly increased (as with a `for i in {0..300}; do ps ax; done`), the last packet that was being trapped before having the SSH session exploded was 1348 sized.

So, updated the iptables rule to throw down the old MSS to the new value and now it seems to be pretty stable.
I'm obviously still testing, but few hours of usage suggest me that the problem is (almost) solved.

Thank you all for the help.

Kind regards,
Davide Pucci.

**********

Davide Pucci
Systems and Software Engineer
Mob: +39 348 923 7278
Tel: +39 06 5960 2069
Fax: +39 06 5960 6185
Email: d.pucci at i-node.it

I-node S.r.l.
We build you® .biz
Via di San Giovanni in Laterano, 84 - 00184 Roma (RM)
Twitter: http://www.twitter.com/i_node
Sito Web: http://www.i-node.it

----- Messaggio originale -----
Da: "Paul Wouters" <paul at nohats.ca>
A: "Davide Pucci" <d.pucci at i-node.it>
Cc: "swan" <swan at lists.libreswan.org>
Inviato: Sabato, 23 dicembre 2017 20:50:54
Oggetto: Re: [Swan] Tunnel behind NAT: large packets freeze it

On Thu, 21 Dec 2017, Davide Pucci wrote:

> > Most likely broken path mtu discovery, see:
> > https://libreswan.org/wiki/FAQ#My_ssh_sessions_hang_or_connectivity_is_very_slow
> 
> Thank you for your answer, but I already tried any of those solutions (tried almost every value from 1500 down to 250), without actually fixing the problem at all.
> Any other help? Keep in mind that I have other tunnels between the hosts the one behind NAT is connecting to, and when NAT-ed host is not involved, I've no problems at all.

One host or another has the problem with MTU. Going lower then 1300
should never be needed (and dangerous if/when using L2TP/PPP which
uses 1200 on most OSes)

You really do have a MTU issue if pings work but screens of output
freezes. It could be a problem on multiple machines. Note also that
conntrack tables might not instantly update, so you might have to
redo the tests running conntrack -F to clear the kernel state.

Paul