This post has a very good explanation of the problems I’ve been suffering with my IPsec tunnels recently:
Two things have fixed my stalled transmissions over IPsec tunnels:
- Clamping the MSS of the IPsec connections to 1280
- Setting the sysctl
As seen in this post, the values of
0 - Disabled 1 - Disabled by default, enabled when an ICMP black hole detected 2 - Always enabled, use initial MSS of tcp_base_mss.