Skip to content

Instantly share code, notes, and snippets.

@redeltaglio

redeltaglio/ipsec.conf

Forked from nlacourte/ipsec.conf
Created February 20, 2021 07:13
Show Gist options
  • Save redeltaglio/aea5dc4fdbb7f9fe72663f0deadd255d to your computer and use it in GitHub Desktop.
Save redeltaglio/aea5dc4fdbb7f9fe72663f0deadd255d to your computer and use it in GitHub Desktop.
Download ZIP
StrongSwan ipsec updown script for mangle TCPMSS
Raw
ipsec.conf
#Ipsec.conf example
conn vrackxxxxx_psk
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
auto=add
type=tunnel
right=x.x.x.x
rightsubnet=x.x.x.x/x
left=%config
leftsubnet=x.x.x.x/x
leftsourceip=%config
compress=yes
leftupdown=/etc/strongswan-updown.sh
Raw
strongswan-updown.sh
#! /bin/sh
case "$PLUTO_VERB:$1" in
up-client:)
iptables -t mangle -A INPUT -i $PLUTO_INTERFACE -s $PLUTO_PEER_CLIENT -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -A OUTPUT -o $PLUTO_INTERFACE -d $PLUTO_PEER_CLIENT -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
;;
down-client:)
iptables -t mangle -D INPUT -i $PLUTO_INTERFACE -s $PLUTO_PEER_CLIENT -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -D OUTPUT -o $PLUTO_INTERFACE -d $PLUTO_PEER_CLIENT -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
;;
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment