TCP MSS clamping with iptables for IPSec tunnel

When routing traffic through a (IPSec) tunnel, an endpoint might need to do mss clamping if you are experiencing MTU issues.

For example, you are using a site-to-site VPN network, with a specific gateway as endpoint. When browsing websites through the tunnel, some websites might not load properly.

An example, using iptables to fix this problem:

iptables -A FORWARD -s -o ens4 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360

This will set the mss to 1360 for traffic coming from on interface ens4.

The 1360 value depends on the situation, 1360 bytes is the overhead created by IPsec encapsulation

By jochen

Developer at TestingBot and Tinder

Leave a Reply

Your email address will not be published. Required fields are marked *