On 09/30/2013 11:21 AM, Yin Guanhao wrote: > On 2013?09?30? 16:50, Nikos Mavrogiannopoulos wrote: >> Thanks. That could be the issue. Could you try this patch? I'm not >> sure about the 9 bytes larger though. Could it be 8 bytes instead? >> I cannot think what this extra byte is for. > > With this patch the MTU on the client side is 1 byte larger (1215 > v.s. 1214). > > Log of ocserv: > > ocserv[23450]: [xxx.xxx.xxx.xxx]:54873 peer CSTP MTU is 1280 > ocserv[23450]: [xxx.xxx.xxx.xxx]:54873 TCP MSS is 1427 ocserv[23450]: > [xxx.xxx.xxx.xxx]:54873 DTLS ciphersuite: AES128-SHA ocserv[23450]: > [xxx.xxx.xxx.xxx]:54873 suggesting DTLS MTU 1214 ocserv[23450]: > [xxx.xxx.xxx.xxx]:54873 suggesting CSTP MTU 1215 Ok, that makes sense. It seems that openconnect uses the last MTU suggested and in that case it is the CSTP (TCP) MTU for the tun device. The DTLS MTU is ignored. I'll make ocserv to return a single MTU value for both CSTP and DTLS to avoid such issues. regards, Nikos
