MSS doesn't change when going to IPsec Tunnel

Hello,

I’m having issues with changing MSS for traffic going to an IPsec VPN tunnel. Looking at packet captures, the MSS change works fine when the traffic is excluded from the tunnel, but when it is included, the MSS doesn’t seem to change.

I’ve tried both forward and postrouting chains for the change MSS rule but with the same results.

The VPN is set according to the article here: https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS

I’m using address-list to mark connection :

add action=mark-connection chain=postrouting comment="NordVPN connection marker - My Devices" connection-mark=!bypass_VPN new-connection-mark=NordVPN out-interface=ether1-gateway passthrough=yes src-address-list=via_vpn
add action=change-mss chain=postrouting comment="NordVPN MSS" connection-mark=NordVPN new-mss=1300 out-interface=ether1-gateway passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535

I’ve also tried a simple rule for a single IP to test MSS change:

add action=change-mss chain=forward new-mss=500 passthrough=yes protocol=tcp src-address=192.168.x.x tcp-flags=syn tcp-mss=501-65535

The rules are always being hit but the MSS doesn’t seem to change unless I bypass the VPN by removing the IP from the address-list.

I’m using hAPac running v6.45.8

Any help would be very appreciated.
Thank you

You don’t have change MTU/MSS activly here.

http://forum.mikrotik.com/t/mtu-troubles-using-ikev2-providers-like-nordvpn-work-around/135154/1

Hi,
i have a problem with mikrotik cpe lhg with vpn on nethserver. I have cpe with pppoe server → lan connected to nethserver . If i use other connections the vps on nethserver is ok, but if i switch on this connection the vpn is down or up just for a few minutes. I test to force mss to change to 1300 but after ten minutes the vpn goes down.
Could you help me to resolve this problem? Can i force all mtu?
Now i have mtu pppoe 1480 and ethernet 1500

I can’t help you except for lower the MTU from 1480 to 1280 and try again.