OP
Anonymous
Guest
- Thread Starter
- #101
L2TP/IPsec with NAT-Traversal optimal MTU setting
I ran some tests to verify the MTU setting, that I suggested in [POST="149202"]Part II[/POST] of this thread, namely 1280, which is the recommended choice for L2TP without NAT-Traversal.
In order to check this, I established a L2TP/IPsec connection from my iPhone (iOS 7.0.4) via 3G to my VPN server behind a NAT, and sent a ping(8) from the server to the internal VPN address of the iPhone.
-D is the don't fragment flag
-c1 means, send only 1 ping
-snnnn is the payload size in bytes of the ping (without the headers)
The payload size of 1252 bytes corresponds to a MTU of 1280, since the size of the IP header (20 bytes) and of the ICMP header (8 bytes) has to be added. Anyway, the iPhone did not respond.
The iPhone began responding to pings with payload sizes less or equal than 1202, i.e. the MTU for this kind of connection shall be 1230. The WAN-link of the server got a MTU of 1500. Of course, the final result might differ, if the raw MTU is already less than 1500. You might want to repeat the tests with you connection. For the tests remove the MTU setting from /usr/local/etc/mpd5/mpd.conf
During these tests, it turned out that the multilink option in /usr/local/etc/mpd5/mpd.conf had no effect, so I removed this. Without multilink, it is not necessary to add sequential information, and therefore, I removed the l2tp option length and disabled the l2tp option dataseq. Finally, the iPhone supports header compressions, and I enabled the link options acfcomp protocomp.
For the record, here comes the improved file /usr/local/etc/mpd5/mpd.conf:
I updated [POST="149202"]Part II[/POST] of this thread with these improvements.
I ran some tests to verify the MTU setting, that I suggested in [POST="149202"]Part II[/POST] of this thread, namely 1280, which is the recommended choice for L2TP without NAT-Traversal.
In order to check this, I established a L2TP/IPsec connection from my iPhone (iOS 7.0.4) via 3G to my VPN server behind a NAT, and sent a ping(8) from the server to the internal VPN address of the iPhone.
# ping -D -c1 -s1252 192.168.0.150
-D is the don't fragment flag
-c1 means, send only 1 ping
-snnnn is the payload size in bytes of the ping (without the headers)
The payload size of 1252 bytes corresponds to a MTU of 1280, since the size of the IP header (20 bytes) and of the ICMP header (8 bytes) has to be added. Anyway, the iPhone did not respond.
The iPhone began responding to pings with payload sizes less or equal than 1202, i.e. the MTU for this kind of connection shall be 1230. The WAN-link of the server got a MTU of 1500. Of course, the final result might differ, if the raw MTU is already less than 1500. You might want to repeat the tests with you connection. For the tests remove the MTU setting from /usr/local/etc/mpd5/mpd.conf
During these tests, it turned out that the multilink option in /usr/local/etc/mpd5/mpd.conf had no effect, so I removed this. Without multilink, it is not necessary to add sequential information, and therefore, I removed the l2tp option length and disabled the l2tp option dataseq. Finally, the iPhone supports header compressions, and I enabled the link options acfcomp protocomp.
For the record, here comes the improved file /usr/local/etc/mpd5/mpd.conf:
Code:
startup:
# configure mpd users
set user super pwSuper admin
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load l2tp_server
l2tp_server:
# Define dynamic IP address pool.
set ippool add pool_l2tp 192.168.0.150 192.168.0.199
# Create clonable bundle template named B_l2tp
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 192.168.0.1/32 ippool pool_l2tp
set ipcp dns 192.168.0.1
# Create clonable link template named L_l2tp
create link template L_l2tp l2tp
set link action bundle B_l2tp
set link mtu 1230
set link keep-alive 0 0
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap
# Configure L2TP
set l2tp self 192.168.0.1
set l2tp disable dataseq
# Allow to accept calls
set link enable incoming
I updated [POST="149202"]Part II[/POST] of this thread with these improvements.