[strongSwan] Gateway stops receiving end entity cert from a particular client

Noel Kuntze noel at familie-kuntze.de
Mon Jan 19 22:13:26 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Banio,

Did you try setting leftsendcert=always in the conn definition on the server side?
Also, I think you are more likely to have an MTU problem, as the packet with size 1916 byte
never reach the server. You might want to upgrade and use fragmentation to make sure that packets larger than the MTU (probably around 1500 byte)
are fragmented and can reach the destination.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 19.01.2015 um 21:56 schrieb Banio:
> I have 7 gateways (all set up the same) and many clients (all configured in the same manner), some on multiple gateways.  The gateways use certs for authentication.  Clients and gateways are all on amazon aws.  I periodically see the follow issue:
>
> Client connects fine to gateway for weeks, then stops being able to connect.  Other clients continue to connect without issue to gateway.  The two can communicate and get to the point where they both send their respective "request for cert", and the client sends it's end entity cert, but the gateway never seems to receive it. The client continues to retransmit until 5 are sent and it times out.  If I destroy the virtual server and redeploy, the new client, with the same hostname and same configuration, can connect without issue.
>
> Here is the meta info (versions and OS are the same on gateway and client):
>
> OS: Centos 6.6
> strongswan version: 5.2.0
> Gateway config: http://ur1.ca/jh5g7
> Client config: http://ur1.ca/jh5go
> Gateway log: http://ur1.ca/jh5h4
> Client log: http://ur1.ca/jh5hn
>
> Please let me know if you need more info.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUvXNzAAoJEDg5KY9j7GZYGQoP/jnyJMP7ehYkTj+O+JrTx0vf
v2a7YDJjR1Ukj3upMJxnFse2QR2MGV4fpZdobep2RCE5Pp4KGiNqsBqrwgppx6OS
ot9L4cjuDsllK8tPFuee5a9KNNOfhAGSxgXWrDg+f10d/2bmxteInZB7cmWZZJ7o
YP0LKu/3ZXC+RBaWY8HHqgz43AwT0tyzgfEaMHKUSDH5WYvAswI8Fc0FoeP5Hh2f
y1Jq32BvIDQJ3txaMO6DBflEI9eHhnQydDccz3983ktsJirCKfYm6G0qLnDjnrjA
RuACaoxUPqiA/nYsw+QRPcXGwbO5dEXDBjElQk9hCE7rB9Yi8KRb2Fs4i8CiS7eF
pf4jcywiCIBTbqODJEK1dVmIRcmr3O//Z/eREucAB02LNK+HJUuR+8YQc7Okuezc
6lWj6vva6oNc8VIp89+9MWlwhhXGXEWSGVGLnlhSOuzq8RedB1Z+sjY4tcqKDVcE
wPnTdDjh6E8fH6TZF6FJtlCWXFkcclyDDdcpnEjSKI6ZwPv8lqF8s1YvcwvoQrYQ
YZb9spWMSMNOOx7BLBWArZ3czM64uciTBC7hMVEsHuYhM7MZfna6puDyZ11oSoRJ
bWSdUQusCp4Zyx4gUTmn4xiJAUpxC02v08mNKIND0ZNAsEQU+5TmGyWP0qnLcp1k
P8mRqjp/G9sZRbkP1gs5
=qHOt
-----END PGP SIGNATURE-----

More information about the Users mailing list