[strongSwan] IKEv1 fragmentation support for Windows clients

Volker Rümelin vr_strongswan at t-online.de
Sun Oct 6 12:28:41 CEST 2013

Hi strongSwan developers,

sometimes I have problems to build up a VPN connection to strongswan 
with my Windows clients because of misconfigured or broken routers 
dropping IP fragments. A few months ago I tried to enable IKEv1 
fragmentation support for Windows clients with a small patch. This works 
for Windows XP clients, but breaks Windows 7 l2tp/ipsec clients. It 
seems Windows 7 ignores IKE fragments for the second exchange. As a 
quick workaround I set fragment_size = 1196. In my case now only 
messages containing certificates are sent as IKE fragments, which makes 
Windows 7 clients work again.

Now I have a few patches which enable just this behaviour. With 
fragmentation=onlycerts strongswan only sends IKE fragments if the peer 
supports it and the message contains certificates.

Before I continue I would like to know if this is something you can 
accept for the repository?



More information about the Users mailing list