<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
On 03/23/2018 12:57 PM, Info wrote:<br>
<blockquote type="cite"
cite="mid:ab1fdf30-cd3c-cac0-651a-2fd6df638e3b@quantum-equities.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<br>
<blockquote type="cite"
cite="mid:e1934718-9527-86dc-ce29-f7908f6a0c6f@quantum-equities.com">
<blockquote type="cite"
cite="mid:fe6c0e0a-a045-1f8c-264e-44de0b61f4b9@thermi.consulting">
<pre wrap="">Is there anything logged by the kernel in its ring buffer?
And please add the route I previously mentioned. And stop using ifconfig, or generally the net-tools.
Kind regards
Noel</pre>
</blockquote>
<br>
</blockquote>
Looks like journalctl is more useful. Apparently something was
wrong with my prior charon.conf setup, so I've merged the two
sections into one.<br>
<br>
Attached.<br>
<br>
</blockquote>
"<font color="#990000">[ENC] fragmented IKE message is too large</font>"<br>
<br>
My CA key and machine keys are generated with:<br>
<pre style="color: blue;"># strongswan pki --gen --type rsa --outform pem --size 16384 > /etc/pki/CA/private/<font style="color: darkred;">{CAmachinename}</font>-CAkey.pem
# strongswan pki --gen --type rsa --outform pem --size 16384 > /etc/pki/ipsec/private/<font style="color: red;">{machineA}</font>-Key.pem
<font color="#000066">... and Noel says that's ridiculous. But we all have our peculiar ways.
G**gle is baffled, but this may have something to do with MTU, which is 1500
on the eth0 interface. Cert sizes are ~6043 Bytes and for the CA cert 6067.
I once tried to set MTU to 9000, but the outside interface in the LAN gateway
refused anything higher than 1500 (DHCP), so that's a problem.
Idk whether this is the problem, and if so what to do about it?
</font></pre>
</body>
</html>