[strongSwan] Gateway stops receiving end entity cert from a particular client

Andreas Steffen andreas.steffen at strongswan.org
Mon Jan 19 23:58:46 CET 2015


Hi Banio,

I think your problem is due to IP fragmentation because the IKE_AUTH
message containing the certificate exceeds the MTU. As a workaround,
upgrade to at least strongSwan version 5.2.1 and enable IKEv2
fragmentation in the ipsec.conf files on both endpoints by adding

  fragmentation=yes

to the connection definition. You can also play around with the
maximum fragment size, e.g. by setting

charon {
  fragment_size = 1500
}

in strongswan.conf.

Best regards

Andreas

On 01/19/2015 09:56 PM, Banio wrote:
> I have 7 gateways (all set up the same) and many clients (all configured
> in the same manner), some on multiple gateways.  The gateways use certs
> for authentication.  Clients and gateways are all on amazon aws.  I
> periodically see the follow issue:
> 
> Client connects fine to gateway for weeks, then stops being able to
> connect.  Other clients continue to connect without issue to gateway. 
> The two can communicate and get to the point where they both send their
> respective "request for cert", and the client sends it's end entity
> cert, but the gateway never seems to receive it. The client continues to
> retransmit until 5 are sent and it times out.  If I destroy the virtual
> server and redeploy, the new client, with the same hostname and same
> configuration, can connect without issue.
> 
> Here is the meta info (versions and OS are the same on gateway and client):
> 
> OS: Centos 6.6
> strongswan version: 5.2.0
> Gateway config: http://ur1.ca/jh5g7
> Client config: http://ur1.ca/jh5go
> Gateway log: http://ur1.ca/jh5h4
> Client log: http://ur1.ca/jh5hn
> 
> Please let me know if you need more info.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150119/99690d78/attachment.bin>


More information about the Users mailing list