On Tue, Jun 24, 2014 at 2:53 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: >> Hm, joy. So that's a third way of negotiating the MTU, and this time >> possibly even after the interface has been set up? > > That's a quite reasonable approach as one's idea of the MTU during > negotiation may not be precise. I don't think it's an issue to change > the MTU of the tun device at any point (at least if you know the name > of the tun device and SIOCSIFMTU is available). That does require CAP_NET_ADMIN; Android will have a problem with this. The app only has the ability to perform a one-time interface setup through a special API[1]; it doesn't run with root access. I have an outstanding problem report from a user who sees an MTU of 1406 on OpenConnect but 1405 on AnyConnect. When his phone is connected to wifi, 1405 is the highest value that works; but 1406 works on 3G. Not really sure how to probe for this value if the device can freely switch to a different interface/network with a different path MTU. Maybe in this case it was just luck. There have been a couple of other cases where AnyConnect negotiates a completely different MTU from OpenConnect but it wasn't catastrophic. [1] http://developer.android.com/reference/android/net/VpnService.Builder.html