[strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb

[Volker Rümelin]

> Hello Volker,
>
>> This packet was a large packet and was sent as two UDP fragments. One or possibly both fragments were
>> dropped on the route to the other side.
> Is it possible to handle the packets fragmentation to fix the problem?
> Unfortunately, the real world situation is such that in the majority of cases it is impossible to intervene on the intermediate router (provider's setup, hot spots etc).
> Initially this was the reason that we started to store the certificated locally on each side. Otherwise even initial IKE handshake was unsuccessful.
>
>> I can see this is still your setup with the NAT router.
>> you should try to fix the router.
> There is no possibility to do that.
>
> Looking forward to your thoughts and wish you a Happy New Year!
> Regards,
> Serge
>
>

Hello Serge,

for a fixed site to site tunnel I would complain to my provider, as I 
pay for the service and they have to fix the router if it's broken.

I agree this is not a real option for the road warrior case.

I only have some limited experience with Windows road warriors. If 
ikev2 VPN doesn't work, it's possible to switch back to ikev1 ipsec/l2tp 
VPN. The proprietary ikev1 fragmentation extension 
(http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection and 
search for fragmentation) allows to build up the tunnel and if you 
select a small enough MTU/MRU in the ppp setup, the data packets don't 
get fragmented. You can do the same. I have to admit this is a ugly 
solution, but it works.

I wish you a Happy New Year,
Volker