seems ocserve will automatic correct the mtu value, any one how to stop it ? On Sun, Jan 22, 2017 at 2:58 PM, Michael Leung <gbcbooksmj at gmail.com> wrote: > i think the following error would indicate why ipv6 did not work for me > "Connection MTU (1268) is not sufficient for IPv6 (1280)" > > for now , i still dont know why it gave out a low value for interface mtu > > here is the mtu setting on my ocserv.conf > > auth = "plain[/etc/ocserv/passwd]" > use-occtl = true > banner = "Welcome ocs server" > max-clients = 16 > max-same-clients = 2 > tcp-port = 5551 > udp-port = 5551 > keepalive = 32400 > dpd = 240 > mobile-dpd = 1800 > ################### > try-mtu-discovery = true > ################### > server-cert = /etc/ocserv/certs/anyconnect.cert > server-key = /etc/ocserv/private/prikey.pem > tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" > auth-timeout = 40 > cookie-timeout = 86400 > rekey-time = 172800 > rekey-method = ssl > disconnect-script = /usr/bin/myscript > use-utmp = true > use-dbus = false > pid-file = /var/run/ocserv.pid > socket-file = /var/run/ocserv-socket > run-as-user = root > run-as-group = root > device = vpns > default-domain = ocserv.eu.org. > ipv4-network = 10.200.254.0 > ipv4-netmask = 255.255.255.128 > dns = 9.9.9.9 > dns = 2.2.2.2 > ipv6-network = 2001:470:f916:ffff:: > ipv6-prefix = 64 > ping-leases = false > ################### > mtu = 1320 > ################### > config-per-user = /etc/ocserv/config-per-user > config-per-group = /etc/ocserv/config-per-group > > On Sat, Jan 21, 2017 at 11:45 PM, Kevin Cernekee <cernekee at gmail.com> wrote: >> >> On Sat, Jan 21, 2017 at 5:52 AM, Goodman Leung <gbcbooksmj at gmail.com> >> wrote: >> > does any one have ipv6 work on ocserv ? >> > >> > i add configure "ipv6-network = 2001:470:c19d:xxxx:xxxx::/64" >> > >> > and from the debug log output >> > >> > assigned IPv6: 2001:470:f91d:c15c:0:74:f141:e500 >> > >> > ipv6 address had been assigned, from when i check my client side , it >> > did not found ipv6 address on the tun interface >> >> It's working for me, using explicit-ipv6 to provide a /128 to specific >> clients. >> >> You might want to run the client with --dump-http-traffic and look for >> these headers: >> >> X-CSTP-Address-Type: IPv6,IPv4 >> X-CSTP-Address-IP6: 2001:470:f91d:c15c:0:74:f141:e500/128 >> >> If your ipv6-network (i.e. the delegation you received from your ISP) >> is only a /64, you can try ipv6-subnet-prefix = 128. Ideally you'd >> want to get a /48 or /56 from your ISP, and then hand out a /64 to >> each VPN client. > >
