NordVPN IpSEC fragmentation issue

Rockyboa · September 30, 2019, 5:47pm

I have setup NordVPN accordingly to this guide https://support.nordvpn.com/Connectivity/Router/1360295132/Mikrotik-IKEv2-setup-with-NordVPN.htm

Works great. But have an issue with multiple links.. I lowered the MTU on my windows10 to 1438 and since then I have no issues. I would like to use a mangle rule to adjust this MTU to this value other than doing it on every workstations.

I was wondering if someone as done so and have resolved such issue.

Rock.

Zacharias · September 30, 2019, 6:00pm

Look at the “change MSS” example here https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle

/ip firewall mangle 
add out-interface=pppoe-out protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward tcp-mss=1301-65535

Rockyboa · September 30, 2019, 7:51pm

Zacharias,

thank you for this super fast reply. I’m using IPSec mode config with a source address list, thus not having an interface. This is where I get stuck. Should I mangle against the same source address-list? There is also a parameter to set a connection mark in this mode config dialog box, might be a better option.

Second question, how is the mss related to the MTU. Is the mss the packet size minus the header?

Rock

msatter · September 30, 2019, 9:52pm

Connection marking is the easiest and then you replace PPPoE-out by your connection-mark and don’t use out-interface but connection mark.

Zacharias · September 30, 2019, 10:18pm

Second question, how is the mss related to the MTU. Is the mss the packet size minus the header?

MSS = MTU - size of TCP header - size of IP header - size of IPsec

Rockyboa · October 1, 2019, 1:46pm

Thank you both,

so I would guess that marking the connection based on the source adress list of the devices I want to be behing this VPN is my best bet. I guess a could be even more granular by actually connection marking protocol and ports!

MSS. If the IP header (20 bytes) and ICMP (8Bytes) making this ping request that passes to 1410 and making the MTU working at 1410+28 = 1428, I would presume that IPSEC overhead is 72 bytes, in my case. I understand that IPsec header might vary depending on configuraiton.

Knowing that a TCP header, compare to a ICMP header is 20-8=12 Bytes longer, My MSS would than be

MSS = 1500 - 20 - 20 - 72 = 1388.

Does that sounds right?

Rock.

msatter · October 1, 2019, 3:46pm

If your connection marking based on source addresses then stay with using just source addresses.

In my situation I can use two different MTU and if on the same router using connection marking I can use 1380. When it is routed to an other router and that is using source addresses then I can use 1396. I set it to 1380 so both are working and splitting them up is complicated.

Don’t forget that you have to change the value on two location is the line:

…action=change-mss new-mss=1388 chain=forward tcp-mss=!0-1388

I test the MTU with the site Antary.de and if keeps loading, my MTU value is to high.

Zacharias · October 1, 2019, 5:12pm

or 1389-65535