<div dir="ltr"><div class="gmail_default" style="font-size:small">Yes, I tried to put my client public key into /etc/ipsec.d/certs/, that did not help. Client OS: Xubuntu 14.04.5 3.13.0-129-generic, server OS: Ubuntu 16.04.2 4.4.0-1035-aws</div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-09-27 0:39 GMT+03:00 Anvar Kuchkartaev <span dir="ltr"><<a href="mailto:anvar@anvartay.com" target="_blank">anvar@anvartay.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="en-GB" style="background-color:rgb(255,255,255);line-height:initial"> <div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">In my case I am using strongswan in redhat environment which does not work with NetworkManager and I use intra organisation CA to sign certificates which verifies both server and client sites. I never tried to verify public key only. But you may try to add public key of server to strongswan global configuration directory (in redhat it is located on /etc/strongswan and certificate database of strongswan is in /etc/strongswan/ipsec.d/[<wbr>certs][cacerts]) . May I ask what version of strongswan are you using and what is the server and client OS?</div><span class="HOEnZb"><font color="#888888"> <div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br style="display:initial"></div> <div style="font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">Anvar Kuchkartaev <br><a href="mailto:anvar@anvartay.com" target="_blank">anvar@anvartay.com</a> </div> <table width="100%" style="background-color:white;border-spacing:0px"> <tbody><tr><td colspan="2" style="font-size:initial;text-align:initial;background-color:rgb(255,255,255)"> <div style="border-style:solid none none;border-top-color:rgb(181,196,223);border-top-width:1pt;padding:3pt 0in 0in;font-family:Tahoma,'BB Alpha Sans','Slate Pro';font-size:10pt"> <div><b>From: </b>Олег Пруц</div><div><b>Sent: </b>martes, 26 de septiembre de 2017 09:05 p.m.</div><div><b>To: </b>Anvar Kuchkartaev</div><div><b>Cc: </b><a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a></div><div><b>Subject: </b>Re: [strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengths</div></div></td></tr></tbody></table></font></span><div><div class="h5"><div style="border-style:solid none none;border-top-color:rgb(186,188,209);border-top-width:1pt;font-size:initial;text-align:initial;background-color:rgb(255,255,255)"></div><br><div id="m_439239281266240126_originalContent"><div dir="ltr"><div class="gmail_default" style="font-size:small">Hello Anvar,</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I tried this and now I have this in syslog for some reason:</div><div class="gmail_default"><br></div><div class="gmail_default">charon: 14[IKE] no trusted RSA public key found for ...<br></div><div class="gmail_default"><br></div><div class="gmail_default" style="font-size:small">although my certificate and private key are specified in Network Manager on the client.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><div dir="ltr">Regards,<div>Oleg Prutz</div></div>
<br></div><div class="gmail_extra"><br><div class="gmail_quote">2017-09-23 19:46 GMT+03:00 Anvar Kuchkartaev <span dir="ltr"><<a href="mailto:anvar@anvartay.com" target="_blank">anvar@anvartay.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="en-GB" style="background-color:rgb(255,255,255);line-height:initial"> <div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">You can use fragmentation=yes option in your server side configuration file and authentication request/responce will be fragmented before forming ip packets.</div><span class="m_439239281266240126HOEnZb"><font color="#888888"> <div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br style="display:initial"></div> <div style="font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">Anvar Kuchkartaev <br><a href="mailto:anvar@anvartay.com" target="_blank">anvar@anvartay.com</a> </div> <table width="100%" style="background-color:white;border-spacing:0px"> <tbody><tr><td colspan="2" style="font-size:initial;text-align:initial;background-color:rgb(255,255,255)"> <div style="border-style:solid none none;border-top-color:rgb(181,196,223);border-top-width:1pt;padding:3pt 0in 0in;font-family:Tahoma,'BB Alpha Sans','Slate Pro';font-size:10pt"> <div><b>From: </b>Олег Пруц</div><div><b>Sent: </b>sábado, 23 de septiembre de 2017 05:09 p.m.</div><div><b>To: </b><a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a></div><div><b>Subject: </b>[strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengths</div></div></td></tr></tbody></table></font></span><div><div class="m_439239281266240126h5"><div style="border-style:solid none none;border-top-color:rgb(186,188,209);border-top-width:1pt;font-size:initial;text-align:initial;background-color:rgb(255,255,255)"></div><br><div id="m_439239281266240126m_-4582832810954507887_originalContent"><div dir="ltr"><div style="font-size:small"><div>Hello strongSwan team,</div><div><br></div><div>Thank you for your great job. You are enabling user privacy and internet freedom for people really concerned with this. As for me, this is my use case: I purchased AWS instance with Ubuntu 16.04.2 and installed strongSwan on it, so I was successfully connecting from my home computer to it and was able to bypass restrictions.</div><div><br></div><div>However, as I have to use another network now, the connection is not establishing anymore. I did IP packet captures both on the server and on my machine and found out that the server fragments packets and sends packets with size larger than my MTU during key exchange. I set server MTU to be 1000, but fragmentation is still there, and fragmented packets do not pass to my machine. It seems to be an issue with my new ISP which does not handle fragmented packets.</div><div><br></div><div>I can supply the captures if necessary.</div><div><br></div><div><div dir="ltr">Regards,<div>Oleg Prutz</div></div>
<br></div></div></div>
<br></div></div></div></div>
</blockquote></div><br></div></div>
<br></div></div></div></div>
</blockquote></div><br></div>