<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 03/23/2018 01:25 PM, Info wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e659020a-23fc-ac3d-7762-180cdee472de@quantum-equities.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
On 03/23/2018 12:57 PM, Info wrote:<br>
<blockquote type="cite"
cite="mid:ab1fdf30-cd3c-cac0-651a-2fd6df638e3b@quantum-equities.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<br>
<blockquote type="cite"
cite="mid:e1934718-9527-86dc-ce29-f7908f6a0c6f@quantum-equities.com">
<blockquote type="cite"
cite="mid:fe6c0e0a-a045-1f8c-264e-44de0b61f4b9@thermi.consulting">
<pre wrap="">Is there anything logged by the kernel in its ring buffer?
And please add the route I previously mentioned. And stop using ifconfig, or generally the net-tools.
Kind regards
Noel</pre>
</blockquote>
<br>
</blockquote>
Looks like journalctl is more useful. Apparently something was
wrong with my prior charon.conf setup, so I've merged the two
sections into one.<br>
<br>
Attached.<br>
<br>
</blockquote>
"<font color="#990000">[ENC] fragmented IKE message is too large</font>"<br>
<br>
My CA key and machine keys are generated with:<br>
<pre style="color: blue;"># strongswan pki --gen --type rsa --outform pem --size 16384 > /etc/pki/CA/private/<font style="color: darkred;">{CAmachinename}</font>-CAkey.pem
# strongswan pki --gen --type rsa --outform pem --size 16384 > /etc/pki/ipsec/private/<font style="color: red;">{machineA}</font>-Key.pem
<font color="#000066">... and Noel says that's ridiculous. But we all have our peculiar ways.
G**gle is baffled, but this may have something to do with MTU, which is 1500
on the eth0 interface. Cert sizes are ~6043 Bytes and for the CA cert 6067.
I once tried to set MTU to 9000, but the outside interface in the LAN gateway
refused anything higher than 1500 (DHCP), so that's a problem.
Idk whether this is the problem, and if so what to do about it?
</font></pre>
</blockquote>
<br>
So my large key/cert size is not the problem. Same thing happens
with CA key & cert, and machine key & cert for both ends
generated to a size of <font color="#3333ff">4096</font>.<br>
<br>
Same 4 attempts, same "fragmented IKE message is too large", same
unresponsiveness. Must be something else. Maybe it's haunted.<br>
<br>
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[48368] to 192.168.1.16[500] (704
bytes)<br>
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]:
172.58.47.30 is initiating an IKE_SA<br>
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: local
host is behind NAT, sending keep alives<br>
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: remote
host is behind NAT<br>
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: sending
cert request for "C=US, O=Quantum CN=aries.darkmatter.org CA"<br>
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]:
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]<br>
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: sending
packet: from 192.168.1.16[500] to 172.58.47.30[48368] (299 bytes)<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(1/8) ]<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #1 of 8, waiting for complete IKE message<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(2/8) ]<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #2 of 8, waiting for complete IKE message<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(3/8) ]<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #3 of 8, waiting for complete IKE message<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(4/8) ]<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #4 of 8, waiting for complete IKE message<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(5/8) ]<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #5 of 8, waiting for complete IKE message<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(6/8) ]<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #6 of 8, waiting for complete IKE message<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(7/8) ]<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #7 of 8, waiting for complete IKE message<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1188 bytes)<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(8/8) ]<br>
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]:
fragmented IKE message is too large<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(1/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #1 of 8, waiting for complete IKE message<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(2/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #2 of 8, waiting for complete IKE message<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(3/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #3 of 8, waiting for complete IKE message<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(4/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #4 of 8, waiting for complete IKE message<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(5/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #5 of 8, waiting for complete IKE message<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(6/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #6 of 8, waiting for complete IKE message<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(7/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #7 of 8, waiting for complete IKE message<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1188 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(8/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(6/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #6 of 8, waiting for complete IKE message<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(7/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #7 of 8, waiting for complete IKE message<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1188 bytes)<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(8/8) ]<br>
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]:
fragmented IKE message is too large<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(1/8) ]<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #1 of 8, waiting for complete IKE message<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(2/8) ]<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #2 of 8, waiting for complete IKE message<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(3/8) ]<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #3 of 8, waiting for complete IKE message<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(4/8) ]<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #4 of 8, waiting for complete IKE message<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(5/8) ]<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #5 of 8, waiting for complete IKE message<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(6/8) ]<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #6 of 8, waiting for complete IKE message<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(7/8) ]<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #7 of 8, waiting for complete IKE message<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1188 bytes)<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(8/8) ]<br>
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]:
fragmented IKE message is too large<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(1/8) ]<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #1 of 8, waiting for complete IKE message<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(2/8) ]<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #2 of 8, waiting for complete IKE message<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(3/8) ]<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #3 of 8, waiting for complete IKE message<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(4/8) ]<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #4 of 8, waiting for complete IKE message<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(5/8) ]<br>
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #5 of 8, waiting for complete IKE message<br>
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(6/8) ]<br>
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #6 of 8, waiting for complete IKE message<br>
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1364 bytes)<br>
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(7/8) ]<br>
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]:
received fragment #7 of 8, waiting for complete IKE message<br>
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[41633] to 192.168.1.16[4500]
(1188 bytes)<br>
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(8/8) ]<br>
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]:
fragmented IKE message is too large<br>
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]:
received packet: from 172.58.47.30[48368] to 192.168.1.16[500] (704
bytes)<br>
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]:
172.58.47.30 is initiating an IKE_SA<br>
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: local
host is behind NAT, sending keep alives<br>
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: remote
host is behind NAT<br>
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: sending
cert request for "C=US, O=Quantum CN=aries.darkmatter.org CA"<br>
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]:
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]<br>
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: sending
packet: from 192.168.1.16[500] to 172.58.47.30[48368] (299 bytes)<br>
Mar 24 14:22:24 cygnus.darkmatter.org charon-systemd[49550]: sending
keep alive to 172.58.47.30[41633]<br>
Mar 24 14:22:34 cygnus.darkmatter.org charon-systemd[49550]:
deleting half open IKE_SA with 172.58.47.30 after timeout<br>
<br>
</body>
</html>