[strongSwan] udp packet size
Martin Willi
martin at strongswan.org
Thu Mar 12 09:29:15 CET 2015
Hi Steffen,
> Strongswan 5.2.2 on linux (centos 6) IKEv2 configuration for windows
> clients I have the following problem:
> My more specific question is why is the outgoing UDP packet size
> greater than the MTU size on the interface?
In an IKE_AUTH response, the large part of the message is probably the
exchanged certificate. You may try to generate a smaller server
certificate (chain) so that this message fits in your MTU.
> I have tried to modify the charon.fragment_size and conn specific
> fragmentation settings and cannot get this modify the behavior.
IKEv2 fragmentation is a protocol extension (RFC 7383), and AFAIK it is
not supported in the Windows client. So you can't use it with these
clients, but have to try to avoid messages larger than your MTU to get
things working on such constrained networks.
Regards
Martin
More information about the Users
mailing list