https connection can't established behind a gre tunnel

Question

I have a network topological graph like this:

   Local box                GateWay box
+---------------+    +--------------------------+   
|192.168.1.200  | -> |192.168.1.2     10.2.10.2 |
+---------------+    +--------------------------+
                                         |
                                         |GRE tunnel over pppoe
                                         |
                                         v
+----------------+      +--------------------------+
|  The Internet  |  <-- |54.179.141.101  10.2.10.1 |
+----------------+      +--------------------------+ 
                             Remote "proxy" box

And the gateway box's ppoe has a mtu of 1468 as well as the tun0 tunnel(which is a gre tunnel). The problem is when it's plaint http request, things works just fine. But when it comes to https, some site like https://www.gravatar.com/avatar/8bd68135185d99a58252795422d21bb9?s=24&d=identicon&r=PG . The https connection can't be established. And output with curl got stuck on this:

 curl -v "https://www.gravatar.com/avatar/8bd68135185d99a58252795422d21bb9?s=24&d=identicon&r=PG"
* Hostname was NOT found in DNS cache
*   Trying 68.232.44.121...
* Connected to www.gravatar.com (68.232.44.121) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):

It stuck there only wait for a timing out. But I can do the same request, successfully on the Remote "proxy" box. So I'm presuming there is something wrong with the gre tunnel (or even the iptable rules I wrote?)

So I get wireshark and capture the package on GateWay box and the result is: enter image description here

It shows there is segment missing with the ssl handshake.

For more additional info, the iptables rule is as this:

On GateWay box

*nat
:PREROUTING ACCEPT [61416:4763478]
:INPUT ACCEPT [19674:1619565]
:OUTPUT ACCEPT [18416:1183854]
:POSTROUTING ACCEPT [3:144]
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE #<- this is a gre tunnel and the route for this request
-A POSTROUTING -o tun1 -j MASQUERADE

On the Proxy Box

*nat
:PREROUTING ACCEPT [3997:794751]
:INPUT ACCEPT [297:43841]
:OUTPUT ACCEPT [612:44944]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE

I googled it and some guys said it may be some thing to do with the MTU, But how can I diagnose this issue furthermore?

Have one of the boxes along the path modify all SYN and SYN-ACK packets with MSS larger than 1220 reducing the MSS to 1220. If the problem disappears, then it was an MTU problem. — kasperd, Apr 13 '15 at 09:09

score 2 · Accepted Answer · answered Apr 13 '15 at 08:28

2

It is a MTU issue, this iptable rule(on gateway box) make it work:

iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

answered Apr 13 '15 at 08:28

armnotstrong

139
7

https connection can't established behind a gre tunnel

1 Answers1