• seshu.losetti6@gmail.com
  • Hyderabad

How To Set Specific MSS Value Through IPSEC Connection

Overview:

Here in this article we will discuss how to set MSS value in IPSEC connection. After making the below changes all the traffic which is passing through IPSEC connection will use new MSS value.

Suppose here scenario is there is site to site IPSEC VPN between XG firewall A and XG firewall B.

XG firewall A network—192.168.1.0/24

XG firewall B network—-10.0.0.0/24

From A network you are able to ping B network, but you are not able to reach any https website. This could be normally because of MSS value. In these cases you can test by reducing the MSS value.

Method-1:

Method-1 describes changing MSS value using IP tables command in the firewall.

Please login to Sophos firewall CLI, you can use following article for the same:

CLI

Select “Device Management” and then select “Advanced Shell

Execute the following two commands in the shell:

iptables -t mangle -I POSTROUTING -d 10.0.0.0/24 -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –set-mss 1300;
iptables -t mangle -I POSTROUTING -s 10.0.0.0/24 -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –set-mss 1300;

Here you have added 10.0.0.0/24 because from XG firewall network A you are trying to access, so we need to keep XG firewall B network.

Then test it you will be able to access.

Note: These commands are not reboot persistent. In case if you reboot the firewall these entries will be removed from IP tables.

To make these IP tables reboot persistent, you need to follow the below option.

Method-2:

Login to Sophos XG firewall >> Device Management >> Advanced shell

  1. Make root drive as read and write by executing this below command:

mount -o remount,rw /

root drive writable
mount

2. Then enter the below command to open “customization_application_startup.sh” file

scripts
script file

3. Then press “i” to edit the file, once you press “i” left bottom you can observe key word insert. Now you can enter any command

insert mode
insert

4. Now you enter these two commands

Enter these two commands in the file as shown in below image

iptables -t mangle -I POSTROUTING -d 10.0.0.0/24 -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –set-mss 1300;
iptables -t mangle -I POSTROUTING -s 10.0.0.0/24 -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –set-mss 1300;

commands
commands

Here you have added 10.0.0.0/24 because from XG firewall network A you are trying to access, so we need to keep XG firewall B network.

5. Now press “esc” key, once you press “esc” key it will go to command mode where you can enter command

command mode
Command mode

You can see insert key word is disappeared in the left bottom.

Now enter colon and type “wq!” to save the file

save the file
save file

Once you execute this command, this file will be saved.

6. Now we need to make root drive as read only since we made read write before.

mount -o remount,ro /

Now you can test the connection, it should work. In case if you still not able to access any web site through VPN, it might not be because of MSS value, you can look this article for website issue.

website

Hope this article helps you.

Leave a Reply

Your email address will not be published.