I use an IKEv2 VPN service with Mode Configuration enabled as client on the Mikrotik router. I am trying to lower the TCP MSS for connections going through the VPN tunnel as there are issues with the MTU and IP fragmentation on this tunnel. I already disabled firewall fasttrack for all connections as I noticed that this functionality is blocking VPN traffic for some tunnels. I'm thinking of adjusting the TCP MSS by using mangle rules with connection marking. Outbound and inbound connections would get marked and after that, another mangle rule would modify the TCP MSS for those marked connections.
Code: Select all
0 chain=forward action=mark-connection new-connection-mark=MARK passthrough=yes protocol=tcp log=yes log-prefix="MANGLE_MARK_IPSEC_OUT" ipsec-policy=out,ipsec
1 chain=forward action=mark-connection new-connection-mark=MARK passthrough=yes protocol=tcp log=yes log-prefix="MANGLE_MARK_IPSEC_IN" ipsec-policy=in,ipsec
2 chain=forward action=change-mss new-mss=1382 passthrough=yes tcp-flags=syn protocol=tcp connection-mark=MARK log=yes log-prefix="MANGLE_SET_TCP_MSS_IPSEC"
I have tested this setup with another IKEv2 VPN setup with Mode Configuration enabled as responder, and that is working fine, so the issue seems to be only related to the Mode Configuration enabled as client setup.
Thank you