<div dir="ltr"><div class="gmail_default" style="font-size:small">Thanks to your advice I resolved the problem and managed to connect using IKE fragmentation. I had to install the latest (5.6.0) version of strongSwan and set `fragmentation=yes` on both client and server because fragmentation does not work for IKEv2 before 5.2.1 (the most recent version for Ubuntu 14.04 is 5.1.2). That also means I had to set up an ipsec.conf profile instead of using Network Manager.<br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Thanks,</div><div class="gmail_default" style="font-size:small">Oleg Prutz</div><div class="gmail_extra"><br><div class="gmail_quote">2017-09-28 13:55 GMT+03:00 Anvar Kuchkartaev <span dir="ltr"><<a href="mailto:anvar@anvartay.com" target="_blank">anvar@anvartay.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="en-GB" style="background-color:rgb(255,255,255);line-height:initial"> <div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">I had problem with some clients connecting from restricted networks the service providers where filtering out the last 1 or 2 fragments of authentication response and connections were being failed. Try to create non network manager connection profile to strongswan's ipsec.conf on client and bring up connection from root terminal via:</div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br></div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">strongswan up [connection name]</div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br></div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">At the same time monitor server logs to see which step failing every time. The other possible problem is AWS instances uses jumbo packets by default (MTU is 9000) and this might cause packet fragmentation on AWS side. You can decrease MTU of amazon instance to standard 1500 by command:</div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br></div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">Ifconfig eth0 mtu 1500<span class="m_654225206383135719HOEnZb"><font color="#888888"><span style="font-size:initial;line-height:initial;text-align:initial"></span></font></span></div><span class="m_654225206383135719HOEnZb"><font color="#888888"> <div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br></div> <div style="font-size:initial;font-family:Calibri,'Slate Pro',sans-serif,sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">Anvar Kuchkartaev <br><a href="mailto:anvar@anvartay.com" target="_blank">anvar@anvartay.com</a> </div> <table width="100%" style="background-color:white;border-spacing:0px"> <tbody><tr><td colspan="2" style="font-size:initial;text-align:initial;background-color:rgb(255,255,255)"> <div style="border-style:solid none none;border-top-color:rgb(181,196,223);border-top-width:1pt;padding:3pt 0in 0in;font-family:Tahoma,'BB Alpha Sans','Slate Pro';font-size:10pt"> <div><b>From: </b>Олег Пруц</div><div><b>Sent: </b>jueves, 28 de septiembre de 2017 09:09 a.m.</div><div><b>To: </b>Noel Kuntze</div><div><b>Cc: </b>Anvar Kuchkartaev; <a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a></div><div><b>Subject: </b>Re: [strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengths</div></div></td></tr></tbody></table></font></span><div><div class="m_654225206383135719h5"><div style="border-style:solid none none;border-top-color:rgb(186,188,209);border-top-width:1pt;font-size:initial;text-align:initial;background-color:rgb(255,255,255)"></div><br><div id="m_654225206383135719m_1391803051753228363_originalContent"><div dir="ltr"><div class="gmail_default" style="font-size:small">Ok, I just created a new ec2 instance, generated a new server certificate and set up strongswan so let's say the authentication problem is solved. There is still original problem: I cannot establish connection due to fragmentation filtering and when I add 'fragmentation=yes' in conn %default section, strongswan does not seem to notice it, which can be seen from the logs after I run 'sudo ipsec restart':</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default"><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] received stroke: add connection 'IPSec-IKEv2'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] conn IPSec-IKEv2</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] left=%any</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] leftcert=server2Cert.pem</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] right=%any</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] rightsourceip=<a href="http://172.16.16.0/24" target="_blank">172.16.16.0/24</a></div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] rightdns=31.3.135.232,87.98.17<wbr>5.85</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] ike=aes128-sha256-ecp256,aes25<wbr>6-sha384-ecp384,aes128-sha256-<wbr>modp2048,aes128-sha1-modp2048,<wbr>aes256-sha384-modp4096,aes25$</div><div class="gmail_default" style="font-size:small">-sha256-modp4096,aes256-sha1-m<wbr>odp4096,aes128-sha256-modp1536<wbr>,aes128-sha1-modp1536,aes256-<wbr>sha384-modp2048,aes256-sha256-<wbr>modp2048,aes256-sha1-modp2048,<wbr>aes128-sha256-modp$</div><div class="gmail_default" style="font-size:small">024,aes128-sha1-modp1024,aes25<wbr>6-sha384-modp1536,aes256-sha25<wbr>6-modp1536,aes256-sha1-modp153<wbr>6,aes256-sha384-modp1024,<wbr>aes256-sha256-modp1024,aes256-<wbr>sha1-modp1024!</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] esp=aes128gcm16-ecp256,aes256g<wbr>cm16-ecp384,aes128-sha256-<wbr>ecp256,aes256-sha384-ecp384,<wbr>aes128-sha256-modp2048,aes128-<wbr>sha1$</div><div class="gmail_default" style="font-size:small">modp2048,aes256-sha384-modp409<wbr>6,aes256-sha256-modp4096,<wbr>aes256-sha1-modp4096,aes128-<wbr>sha256-modp1536,aes128-sha1-<wbr>modp1536,aes256-sha384-modp204<wbr>8,aes256-sha256-modp2048,a$</div><div class="gmail_default" style="font-size:small">s256-sha1-modp2048,aes128-sha2<wbr>56-modp1024,aes128-sha1-modp10<wbr>24,aes256-sha384-modp1536,<wbr>aes256-sha256-modp1536,aes256-<wbr>sha1-modp1536,aes256-sha384-<wbr>modp1024,aes256-sha256-$</div><div class="gmail_default" style="font-size:small">odp1024,aes256-sha1-modp1024,a<wbr>es128gcm16,aes256gcm16,aes128-<wbr>sha256,aes128-sha1,aes256-<wbr>sha384,aes256-sha256,aes256-<wbr>sha1!</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] dpddelay=300</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] dpdtimeout=150</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] dpdaction=1</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] mediation=no</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] keyexchange=ikev2</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] adding virtual IP address pool <a href="http://172.16.16.0/24" target="_blank">172.16.16.0/24</a></div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] loaded certificate "******" from 'server2Cert.pem'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] id '%any' not confirmed by certificate, defaulting to '******'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 11[CFG] added configuration 'IPSec-IKEv2'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] received stroke: add connection 'IPSec-IKEv2-EAP'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] conn IPSec-IKEv2-EAP</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] left=%any</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] leftcert=server2Cert.pem</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] right=%any</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] rightsourceip=<a href="http://172.16.16.0/24" target="_blank">172.16.16.0/24</a></div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] rightdns=31.3.135.232,87.98.17<wbr>5.85</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] rightauth=eap-mschapv2</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] eap_identity=%any</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] ike=aes128-sha256-ecp256,aes25<wbr>6-sha384-ecp384,aes128-sha256-<wbr>modp2048,aes128-sha1-modp2048,<wbr>aes256-sha384-modp4096,aes256</div><div class="gmail_default" style="font-size:small">-sha256-modp4096,aes256-sha1-m<wbr>odp4096,aes128-sha256-modp1536<wbr>,aes128-sha1-modp1536,aes256-<wbr>sha384-modp2048,aes256-sha256-<wbr>modp2048,aes256-sha1-modp2048,<wbr>aes128-sha256-modp1</div><div class="gmail_default" style="font-size:small">024,aes128-sha1-modp1024,aes25<wbr>6-sha384-modp1536,aes256-sha25<wbr>6-modp1536,aes256-sha1-modp153<wbr>6,aes256-sha384-modp1024,<wbr>aes256-sha256-modp1024,aes256-<wbr>sha1-modp1024!</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] esp=aes128gcm16-ecp256,aes256g<wbr>cm16-ecp384,aes128-sha256-<wbr>ecp256,aes256-sha384-ecp384,<wbr>aes128-sha256-modp2048,aes128-<wbr>sha1-</div><div class="gmail_default" style="font-size:small">modp2048,aes256-sha384-modp409<wbr>6,aes256-sha256-modp4096,<wbr>aes256-sha1-modp4096,aes128-<wbr>sha256-modp1536,aes128-sha1-<wbr>modp1536,aes256-sha384-modp204<wbr>8,aes256-sha256-modp2048,ae</div><div class="gmail_default" style="font-size:small">s256-sha1-modp2048,aes128-sha2<wbr>56-modp1024,aes128-sha1-modp10<wbr>24,aes256-sha384-modp1536,<wbr>aes256-sha256-modp1536,aes256-<wbr>sha1-modp1536,aes256-sha384-<wbr>modp1024,aes256-sha256-m</div><div class="gmail_default" style="font-size:small">odp1024,aes256-sha1-modp1024,a<wbr>es128gcm16,aes256gcm16,aes128-<wbr>sha256,aes128-sha1,aes256-<wbr>sha384,aes256-sha256,aes256-<wbr>sha1!</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] dpddelay=300</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] dpdtimeout=150</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] dpdaction=1</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] mediation=no</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] keyexchange=ikev2</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] reusing virtual IP address pool <a href="http://172.16.16.0/24" target="_blank">172.16.16.0/24</a></div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] loaded certificate "******" from 'server2Cert.pem'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] id '%any' not confirmed by certificate, defaulting to '******'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 13[CFG] added configuration 'IPSec-IKEv2-EAP'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] received stroke: add connection 'CiscoIPSec'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] conn CiscoIPSec</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] left=%any</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] leftcert=server2Cert.pem</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] right=%any</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] rightsourceip=<a href="http://172.16.16.0/24" target="_blank">172.16.16.0/24</a></div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] rightdns=31.3.135.232,87.98.17<wbr>5.85</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] rightauth=pubkey</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] rightauth2=xauth</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] ike=aes128-sha256-ecp256,aes25<wbr>6-sha384-ecp384,aes128-sha256-<wbr>modp2048,aes128-sha1-modp2048,<wbr>aes256-sha384-modp4096,aes256</div><div class="gmail_default" style="font-size:small">-sha256-modp4096,aes256-sha1-m<wbr>odp4096,aes128-sha256-modp1536<wbr>,aes128-sha1-modp1536,aes256-<wbr>sha384-modp2048,aes256-sha256-<wbr>modp2048,aes256-sha1-modp2048,<wbr>aes128-sha256-modp1</div><div class="gmail_default" style="font-size:small">024,aes128-sha1-modp1024,aes25<wbr>6-sha384-modp1536,aes256-sha25<wbr>6-modp1536,aes256-sha1-modp153<wbr>6,aes256-sha384-modp1024,<wbr>aes256-sha256-modp1024,aes256-<wbr>sha1-modp1024!</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] esp=aes128gcm16-ecp256,aes256g<wbr>cm16-ecp384,aes128-sha256-<wbr>ecp256,aes256-sha384-ecp384,<wbr>aes128-sha256-modp2048,aes128-<wbr>sha1-</div><div class="gmail_default" style="font-size:small">modp2048,aes256-sha384-modp409<wbr>6,aes256-sha256-modp4096,<wbr>aes256-sha1-modp4096,aes128-<wbr>sha256-modp1536,aes128-sha1-<wbr>modp1536,aes256-sha384-modp204<wbr>8,aes256-sha256-modp2048,ae</div><div class="gmail_default" style="font-size:small">s256-sha1-modp2048,aes128-sha2<wbr>56-modp1024,aes128-sha1-modp10<wbr>24,aes256-sha384-modp1536,<wbr>aes256-sha256-modp1536,aes256-<wbr>sha1-modp1536,aes256-sha384-<wbr>modp1024,aes256-sha256-m</div><div class="gmail_default" style="font-size:small">odp1024,aes256-sha1-modp1024,a<wbr>es128gcm16,aes256gcm16,aes128-<wbr>sha256,aes128-sha1,aes256-<wbr>sha384,aes256-sha256,aes256-<wbr>sha1!</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] dpddelay=300</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] dpdtimeout=150</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] dpdaction=1</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] mediation=no</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] keyexchange=ikev1</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] reusing virtual IP address pool <a href="http://172.16.16.0/24" target="_blank">172.16.16.0/24</a></div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] loaded certificate "******" from 'server2Cert.pem'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] id '%any' not confirmed by certificate, defaulting to '******'</div><div class="gmail_default" style="font-size:small">Sep 28 06:43:53 ******** charon: 14[CFG] added configuration 'CiscoIPSec'</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">In case it matters, I used this guide for setup: <a href="https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/" target="_blank">https://www.zeitgeist.se/2013/<wbr>11/22/strongswan-howto-create-<wbr>your-own-vpn/</a></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">My strongSwan version:</div><div class="gmail_default">Linux strongSwan U5.3.5/K4.4.0-1022-aws<br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-09-27 3:17 GMT+03:00 Noel Kuntze <span dir="ltr"><<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" target="_blank">noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
UDP packets can not be fragmented on the transport layer. UDP packets represent a complete datagram, not a byte stream like TCP. Fragmentation needs to be implemented on the application layer, which is what charon supports with IKEv1 and IKEv2 fragmentation, configurable with fragmentation=yes, which enables support for it. It is used, if the remote peer indicates support for it as well.<br>
<br>
Yes, the problem is caused by your new ISP (or some other hop to the other peer) dropping IP fragments.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<span><br>
On 23.09.2017 18:46, Anvar Kuchkartaev wrote:<br>
> You can use fragmentation=yes option in your server side configuration file and authentication request/responce will be fragmented before forming ip packets.<br>
><br>
> Anvar Kuchkartaev <br>
> <a href="mailto:anvar@anvartay.com" target="_blank">anvar@anvartay.com</a> <br>
</span>> *From: *Олег Пруц<br>
> *Sent: *sábado, 23 de septiembre de 2017 05:09 p.m.<br>
> *To: *<a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
> *Subject: *[strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengths<br>
<div class="m_654225206383135719m_1391803051753228363HOEnZb"><div class="m_654225206383135719m_1391803051753228363h5">><br>
><br>
> Hello strongSwan team,<br>
><br>
> Thank you for your great job. You are enabling user privacy and internet freedom for people really concerned with this. As for me, this is my use case: I purchased AWS instance with Ubuntu 16.04.2 and installed strongSwan on it, so I was successfully connecting from my home computer to it and was able to bypass restrictions.<br>
><br>
> However, as I have to use another network now, the connection is not establishing anymore. I did IP packet captures both on the server and on my machine and found out that the server fragments packets and sends packets with size larger than my MTU during key exchange. I set server MTU to be 1000, but fragmentation is still there, and fragmented packets do not pass to my machine. It seems to be an issue with my new ISP which does not handle fragmented packets.<br>
><br>
> I can supply the captures if necessary.<br>
><br>
> Regards,<br>
> Oleg Prutz<br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>
<br></div></div></div></div>
</blockquote></div><br></div></div>