[strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb

s s y52 at europe.com
Tue Dec 31 12:48:22 CET 2013 

Hello Volker,

>This packet was a large packet and was sent as two UDP fragments. One or possibly both fragments were
>dropped on the route to the other side.
Is it possible to handle the packets fragmentation to fix the problem?
Unfortunately, the real world situation is such that in the majority of cases it is impossible to intervene on the intermediate router (provider's setup, hot spots etc).
Initially this was the reason that we started to store the certificated locally on each side. Otherwise even initial IKE handshake was unsuccessful. 

> I can see this is still your setup with the NAT router.
> you should try to fix the router.
There is no possibility to do that.

Looking forward to your thoughts and wish you a Happy New Year!
Regards,
Serge


> ----- Original Message -----
> From: Volker Rümelin
> Sent: 12/31/13 12:03 AM
> To: s s, users at lists.strongswan.org
> Subject: Re: [strongSwan]  strongswan-5.1.1 with 4.xx, tunnel pb
> 
> Hello Serge,
> 
> > Dec 29 22:23:19 karma charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
> > Dec 29 22:23:19 karma charon: 11[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612 bytes)
> 
> This packet was a large packet and was sent as two UDP fragments. One or possibly both fragments were
> dropped on the route to the other side.
> 
> > 
> > Dec 29 22:23:23 karma charon: 12[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (1500 bytes)
> > Dec 29 22:23:23 karma charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> > Dec 29 22:23:23 karma charon: 12[IKE] received retransmit of request with ID 1, retransmitting response
> > Dec 29 22:23:23 karma charon: 12[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612 bytes)
> > Dec 29 22:23:30 karma charon: 09[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (1500 bytes)
> 
> I can see this is still your setup with the NAT router. Most likely you have a problem with this router and
> you should try to fix the router.
> 
> Regards,
> Volker

More information about the Users mailing list