[strongSwan] %defaultroute resolves to link-local address
Daniel Pocock
daniel at pocock.com.au
Thu Jul 4 23:58:53 CEST 2013
On 04/07/13 22:02, Volker Rümelin wrote:
> Hello Daniel,
>
>> 14:09:53.069743 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
>> 4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
>> 14:09:53.070185 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
>> 14:10:06.802214 IP6 DESTNET::6 > SOURCENET::2: ICMP6, time exceeded
>> in-transit (reassembly), length 1240
> this is most likely a firewall problem with your Debian machine. Only
> the first fragment is accepted by your netfilter rules and the second
> fragment is dropped, leading to a reassembly timeout after 60s.
>
I'm trying Shorewall firewall, is there a recommended set of parameters
for configuring Shorewall with StrongSwan?
On the certificate size issue: will using ECC instead of RSA make the
certificates small enough to avoid fragmentation? What packet sizes
have been observed in practice with 384 bit ECC for example?
More information about the Users
mailing list