[strongSwan] udp packet size

Steffen Plotner swplotner at amherst.edu
Thu Mar 12 03:35:21 CET 2015 

Hi,

Strongswan 5.2.2 on linux (centos 6) IKEv2 configuration for windows clients I have the following problem:

Initiator sends IKE_SA_INIT
Server responds with IKE_SA_INIT
Initiator sends IKE_AUTH
Server responds with a fragmented IP packet of 1514 bytes (the MTU is 1500 on the outgoing interface).

I have determined using wireshark, that the fragment gets dropped by someone... if the client is behind Comcast link it works, and behind a roadrunner link it fails.

My more specific question is why is the outgoing UDP packet size greater than the MTU size on the interface?

I have tried to modify the charon.fragment_size and conn specific fragmentation settings and cannot get this modify the behavior. If we could get the UDP packet size to be below the MTU of the interface, that would help.

Steffen

_______________________________________________________________________________________________
Steffen Plotner                            Amherst College            Tel (413) 542-2348
Systems/Network Administrator/Programmer   PO BOX 5000                Fax (413) 542-2626
Systems & Networking                       Amherst, MA 01002-5000     swplotner at amherst.edu



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150312/36eb61e9/attachment.html>

More information about the Users mailing list