I have tried setting mss clamping for following topology where two vyos gw is connected via ipsec tunnel using vti and both vyos have one interface eth0:
cli1–vyos1–nat–vyos2–cli2
I have configured clamping on vyos1 using following commands:
set policy route MSS-CLAMP rule 10 protocol ‘tcp’
set policy route MSS-CLAMP rule 10 set tcp-mss ‘1400’
set policy route MSS-CLAMP rule 10 tcp flags ‘SYN’
set interfaces ethernet eth0 policy route MSS-CLAMP
But when cli1 initiate tcp connection to cli2 I am seeing mss in syn and ack packet is always calculated based on mtu. I am checking mss size on both the cli using tcpdump. Is it right way of testing mss clamping ?