I am setting up a VPN on Ubuntu 14.04LTS which uses IPSEC and performs NAT for clients. It is basically working - I can connect to it from a clinet (Android device) and browse (for example) www.google.com.
However I cannot browse www.bbc.co.uk. When I try, my VPN server receives the response from www.bbc.co.uk with the don't-fragment bit set, and discards it. Wireshark shows many of these:
119 7.904053000 212.58.246.95 MY.IP.MY.IP TCP 1414 [TCP segment of a reassembled PDU]
120 7.904094000 MY.IP.MY.IP 212.58.246.95 ICMP 590 Destination unreachable (Fragmentation needed)
By pinging my client from the VPN server, I have ascertained that its MTU is about 1380. The VPN server's MTU is 1500.
How it this supposed to work please? MTUs can vary, so if the BBC if setting don't-fragment, how is this supposed to be handled please?
I would assume that, if don't-fragment is set, everything should agree on the smallest common MTU. Can I work out who is misbehaving?