[strongSwan] fragmentation problems fixed with ECDSA (was: %defaultroute resolves to link-local address)

Daniel Pocock daniel at pocock.com.au
Sat Jul 6 01:30:38 CEST 2013

On 05/07/13 10:43, Daniel Pocock wrote:
> On 04/07/13 23:58, Daniel Pocock wrote:
>> On 04/07/13 22:02, Volker Rümelin wrote:
>>> Hello Daniel,
>>>> 14:09:53.069743 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
>>>> 4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
>>>> 14:09:53.070185 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
>>>> 14:10:06.802214 IP6 DESTNET::6 > SOURCENET::2: ICMP6, time exceeded
>>>> in-transit (reassembly), length 1240
>>> this is most likely a firewall problem with your Debian machine. Only
>>> the first fragment is accepted by your netfilter rules and the second
>>> fragment is dropped, leading to a reassembly timeout after 60s.
>> I'm trying Shorewall firewall, is there a recommended set of parameters
>> for configuring Shorewall with StrongSwan?
>> On the certificate size issue: will using ECC instead of RSA make the
>> certificates small enough to avoid fragmentation?  What packet sizes
>> have been observed in practice with 384 bit ECC for example?
> Just following up on this... I tried copying the certs onto two of my
> machines to avoid fragmentation and that does make it work
> However, I feel this undermines some of the convenience of using
> certificates and it also means that I can't use wildcards in ipsec.conf,
> every peer's certificate filename needs to be defined in some conn
> section explicitly.
> I didn't actually experience this problem with all the client/server
> pairs I've tested (and they all go through at least two firewall / NAT
> environments, e.g. from a mobile tethering connection where I do some
> testing)
> I'm hoping that ECDSA may solve this (due to the smaller certificate
> size) but haven't been able to confirm that because of the lack of ECDSA
> support in the OpenWRT packages.  I've made up keys and configs for
> ECDSA and will test and share my results once the updated package is
> available.

I made a local rebuild of the OpenWRT OpenSSL and strongSwan packages
with ECDSA enabled

I replaced the certs on both VPN endpoints with 384 bit ECDSA certs

My certs also have the following:

DN = 62 bytes and 68 bytes
Issuer DN = 48 bytes
subjectAltName = 20 bytes and 26 bytes

Using ECDSA, I notice that the IKE_AUTH packets are reduced to 1418 and
1274 bytes - neither packet is fragmented now as they are under the MTU

I've also tested with the Android client using ECDSA:

- if the VPN server has ECDSA but the client has an RSA cert, the
connection succeeds

- however, if I put an ECDSA cert in the Android client, it fails with
this error in the log on Android:
"signature scheme RSA_EMSA_PKCS1_SHA1 not supported in EC"

and then "failed to load private key"

Note that all the certs are signed by an RSA-based CA

More information about the Users mailing list