[strongSwan] %defaultroute resolves to link-local address

Daniel Pocock daniel at pocock.com.au
Thu Jul 4 23:58:53 CEST 2013



On 04/07/13 22:02, Volker Rümelin wrote:
> Hello Daniel,
> 
>> 14:09:53.069743 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
>> 4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
>> 14:09:53.070185 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
>> 14:10:06.802214 IP6 DESTNET::6 > SOURCENET::2: ICMP6, time exceeded
>> in-transit (reassembly), length 1240
> this is most likely a firewall problem with your Debian machine. Only
> the first fragment is accepted by your netfilter rules and the second
> fragment is dropped, leading to a reassembly timeout after 60s.
> 

I'm trying Shorewall firewall, is there a recommended set of parameters
for configuring Shorewall with StrongSwan?

On the certificate size issue: will using ECC instead of RSA make the
certificates small enough to avoid fragmentation?  What packet sizes
have been observed in practice with 384 bit ECC for example?





More information about the Users mailing list