[strongSwan] %defaultroute resolves to link-local address

Daniel Pocock daniel at pocock.com.au
Fri Jul 5 10:43:18 CEST 2013

On 04/07/13 23:58, Daniel Pocock wrote:
> On 04/07/13 22:02, Volker Rümelin wrote:
>> Hello Daniel,
>>> 14:09:53.069743 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
>>> 4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
>>> 14:09:53.070185 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
>>> 14:10:06.802214 IP6 DESTNET::6 > SOURCENET::2: ICMP6, time exceeded
>>> in-transit (reassembly), length 1240
>> this is most likely a firewall problem with your Debian machine. Only
>> the first fragment is accepted by your netfilter rules and the second
>> fragment is dropped, leading to a reassembly timeout after 60s.
> I'm trying Shorewall firewall, is there a recommended set of parameters
> for configuring Shorewall with StrongSwan?
> On the certificate size issue: will using ECC instead of RSA make the
> certificates small enough to avoid fragmentation?  What packet sizes
> have been observed in practice with 384 bit ECC for example?

Just following up on this... I tried copying the certs onto two of my
machines to avoid fragmentation and that does make it work

However, I feel this undermines some of the convenience of using
certificates and it also means that I can't use wildcards in ipsec.conf,
every peer's certificate filename needs to be defined in some conn
section explicitly.

I didn't actually experience this problem with all the client/server
pairs I've tested (and they all go through at least two firewall / NAT
environments, e.g. from a mobile tethering connection where I do some

I'm hoping that ECDSA may solve this (due to the smaller certificate
size) but haven't been able to confirm that because of the lack of ECDSA
support in the OpenWRT packages.  I've made up keys and configs for
ECDSA and will test and share my results once the updated package is

More information about the Users mailing list