[strongSwan] Weird connection problem with one machine (IKEv2)
Volker Rümelin
vr_strongswan at t-online.de
Wed Mar 26 21:11:48 CET 2014
Hi Raoul,
> So given that my tcpdump establishes that in the bad case the
> ikev2_auth[I] arrives at the machine but the logs in strongswan do not
> indicate that it was processed/received then what could be the issue
> here? I believe I have ruled out iptables/firewall as a cause. So I
> *think* the data does get there but why do the logs go quiet as if it
> didn't get processed/handled?
>
> I did notice in the good case that the IKE_AUTH request was 2380
> bytes. Could this be a fragmentation thing? Could it be something
> really subtle like a kernel problem? Seems unlikely - but how would I
> ascertain this?
>
> Can you give any suggestions on how I can debug this? Is there any
> useful logging I can enable to get to the bottom of this?
>
most likely this is a fragmentation problem. To show it you also have to
capture the following fragments, not only the first fragment. Something
like this works.
root at bad-server:~# tcpdump -n -s 0 -v 'host my-client-ip'
If you do this on both sides it's possible to detect the dropped fragments.
Regards,
Volker
More information about the Users
mailing list