[strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb

Volker Rümelin vr_strongswan at t-online.de
Mon Jan 6 21:58:53 CET 2014

Hello Serge,

> Hello,
> I made some homework and found out different elements, which may help to troubleshoot.
>>> This packet was a large packet and was sent as two UDP fragments.
> What looked like to be a packet fragmentation, in fact appeared to be two different CAs sent in the key exchange.
> I had 2 CAs in the "cacert" folder due to the coming expiration of one of them. So I removed the expired one and the packet duplication was solved.

sorry, but I doubt this solved your fragmentation problem. To be sure I 
suggest you once again initiate a ikev2 connection and capture the 
packets with tcpdump on both sides at the same time. Something like

root at bt:~ # tcpdump -i eth0 -n -v -s 0 'host'

root at karma:~ # tcpdump -i eth0 -n -v -s 0 'host'

And I would also like to see

# tail -f /var/log/messages | grep 'charon:'

from both sides.

Btw. did you read the strongswan documentation about ikev1 
fragmentation? Especially the part since which strongswan version it is 
available? Ikev1 doesn't help here.


More information about the Users mailing list