[strongSwan-dev] [PATCH 0/5] IKEv1 fragmentation support for Windows peers
Volker Rümelin
vr_strongswan at t-online.de
Mon Mar 10 22:23:05 CET 2014
Hi,
here are five patches to enable ikev1 fragmentation support for Windows peers. These patches are useful for Windows users who have to live with a broken router or firewall dropping IP fragments.
The patches were tested with Windows XP and Windows 7 peers. I found no way to drop incoming or outgoing IP fragments with linux connection tracking enabled, so I used
iptables -t filter -I INPUT -s 192.168.0.1 -p udp -m u32 --u32 '0 & 0xFFFF = 1493:65535' -j DROP
iptables -t filter -I OUTPUT -d 192.168.0.1 -p udp -m u32 --u32 '0 & 0xFFFF = 1493:65535' -j DROP
on gateway sun as a rough equivalent for a broken router in a setup like this one.
http://www.strongswan.org/uml/testresults/ikev1/nat-rw
To enable fragmentation support with Windows 7 peers it's necessary to use fragmentation=onlycerts. For Windows XP fragmentation=onlycerts or fragmentation=yes works.
Comments or suggestions are always welcome.
Regards,
Volker
More information about the Dev
mailing list