[strongSwan] Weird connection problem with one machine (IKEv2)

Volker Rümelin vr_strongswan at t-online.de
Wed Mar 26 21:11:48 CET 2014

Hi Raoul,
> So given that my tcpdump establishes that in the bad case the
> ikev2_auth[I] arrives at the machine but the logs in strongswan do not
> indicate that it was processed/received then what could be the issue
> here?  I believe I have ruled out iptables/firewall as a cause.  So I
> *think* the data does get there but why do the logs go quiet as if it
> didn't get processed/handled?
> I did notice in the good case that the  IKE_AUTH request was 2380
> bytes.  Could this be a fragmentation thing?  Could it be something
> really subtle like a kernel problem?  Seems unlikely - but how would I
> ascertain this?
> Can you give any suggestions on how I can debug this?   Is there any
> useful logging I can enable to get to the bottom of this?
most likely this is a fragmentation problem. To show it you also have to 
capture the following fragments, not only the first fragment. Something 
like this works.

root at bad-server:~# tcpdump -n -s 0 -v 'host my-client-ip'

If you do this on both sides it's possible to detect the dropped fragments.


More information about the Users mailing list