IPSec/VTI/BGP: MSS clamping on VPN traffic

  • a few words about my environment:
    corporate IPSec VPNs using /30 VTI interfaces which also are used for BGP peerings.

    Just want to clarify how to define corporate VPN networks to use MSS clamping?

    small research:

    grep scrub /tmp/rules.debug

    scrub from any to <vpn_networks> max-mss 1360
    scrub from <vpn_networks> to any max-mss 1360
    scrub on $WAN all    fragment reassemble
    scrub on $LAN all    fragment reassemble

    reviewed filter_generate_scrubing and filter_get_vpns_list functions (/etc/inc/filter.inc)

    discover that there is a special table called vpn_networks.
    But found nothing how this table will be filled in my case (VTI/30). That is why I forced to keep fake and disabled P2 for IPsec near with VTI P2 (keep in mind [1]).

    I don't want to edit /etc/inc/filter.inc and change <vpn_networks> for example to manually created by WebUI <crp_vpn_networks> alias. (this changes will be lost during the next upgrade). Also I guess bug #7622 finally will be fixed [1]

    the main questions: how to fill the special table <vpn_networks> in order to avoid future upgrade?
    What is it right way?


    [1] https://redmine.pfsense.org/issues/7622

    P.S. tried to write custom script, but without success.

    cat /usr/local/pkg/custom_scrub_rules.inc

    function custom_filter_generate_scrubing() {
            $scrubrules = "";
            $crp_maxmss = 1360;
            $scrubrules .= "scrub from any to <crp_vpn_networks> max-mss {$crp_maxmss}\n";
            $scrubrules .= "scrub from <crp_vpn_networks> to any max-mss {$crp_maxmss}\n";
            return $scrubrules;

  • @oyermolenko

    But why would the interface VTI change the mss ?
    by default, this interface is created with mtu=1400 (mss 1360)

    #define	IPSEC_MTU		       1400
    #define	IPSEC_MTU_MIN		1280
    #define	IPSEC_MTU_MAX		8192
    ifp->if_mtu = IPSEC_MTU;
    ifp->if_flags  = IFF_POINTOPOINT | IFF_MULTICAST;
    [2.4.4-RELEASE][admin@pfSense.localdomain]/root: ifconfig ipsec2000
    ipsec2000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400

    you can change the mtu or mss in the VTI interface settings

    the <vpn_networks> table is used for other purposes

    1 ipsec mobile client
    2 ipsec in tunnel mode site to site connection
    3 openvpn

  • Yes, @Konstanti , you are right, VTI interfaces with MTU 1400

    But despite of this fact I have the issue related to MSS/MTU.


  • @oyermolenko
    try to reduce the mss in the settings of the VTI interface


  • the main my problem is very small performance. 100-300KB. I was trying to change interface settings according to the mentioned in the previous @Konstanti reply. Without success.
    But frankly speaking I'm not sure that tcpdump was created with these recommendations.

  • @oyermolenko

    try to reduce the mss to 1300 ( mtu 1340)
    in February-March this year there was a topic where it helped

  • decreased to 576 :-(

  • nowadays just keep disabled P2 with needed nets for scrubbing.

Log in to reply