[strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb
vr_strongswan at t-online.de
Tue Dec 31 16:25:41 CET 2013
> Hello Volker,
>> This packet was a large packet and was sent as two UDP fragments. One or possibly both fragments were
>> dropped on the route to the other side.
> Is it possible to handle the packets fragmentation to fix the problem?
> Unfortunately, the real world situation is such that in the majority of cases it is impossible to intervene on the intermediate router (provider's setup, hot spots etc).
> Initially this was the reason that we started to store the certificated locally on each side. Otherwise even initial IKE handshake was unsuccessful.
>> I can see this is still your setup with the NAT router.
>> you should try to fix the router.
> There is no possibility to do that.
> Looking forward to your thoughts and wish you a Happy New Year!
for a fixed site to site tunnel I would complain to my provider, as I
pay for the service and they have to fix the router if it's broken.
I agree this is not a real option for the road warrior case.
I only have some limited experience with Windows road warriors. If
ikev2 VPN doesn't work, it's possible to switch back to ikev1 ipsec/l2tp
VPN. The proprietary ikev1 fragmentation extension
search for fragmentation) allows to build up the tunnel and if you
select a small enough MTU/MRU in the ppp setup, the data packets don't
get fragmented. You can do the same. I have to admit this is a ugly
solution, but it works.
I wish you a Happy New Year,
More information about the Users