[strongSwan] Gateway stops receiving end entity cert from a particular client

Andreas Steffen andreas.steffen at strongswan.org
Mon Jan 19 23:58:46 CET 2015

Hi Banio,

I think your problem is due to IP fragmentation because the IKE_AUTH
message containing the certificate exceeds the MTU. As a workaround,
upgrade to at least strongSwan version 5.2.1 and enable IKEv2
fragmentation in the ipsec.conf files on both endpoints by adding


to the connection definition. You can also play around with the
maximum fragment size, e.g. by setting

charon {
  fragment_size = 1500

in strongswan.conf.

Best regards


On 01/19/2015 09:56 PM, Banio wrote:
> I have 7 gateways (all set up the same) and many clients (all configured
> in the same manner), some on multiple gateways.  The gateways use certs
> for authentication.  Clients and gateways are all on amazon aws.  I
> periodically see the follow issue:
> Client connects fine to gateway for weeks, then stops being able to
> connect.  Other clients continue to connect without issue to gateway. 
> The two can communicate and get to the point where they both send their
> respective "request for cert", and the client sends it's end entity
> cert, but the gateway never seems to receive it. The client continues to
> retransmit until 5 are sent and it times out.  If I destroy the virtual
> server and redeploy, the new client, with the same hostname and same
> configuration, can connect without issue.
> Here is the meta info (versions and OS are the same on gateway and client):
> OS: Centos 6.6
> strongswan version: 5.2.0
> Gateway config: http://ur1.ca/jh5g7
> Client config: http://ur1.ca/jh5go
> Gateway log: http://ur1.ca/jh5h4
> Client log: http://ur1.ca/jh5hn
> Please let me know if you need more info.

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150119/99690d78/attachment.bin>

More information about the Users mailing list