[strongSwan] udp packet size

Fred curious_freddy at gmsl.co.uk
Thu Mar 12 10:16:00 CET 2015 

On 12/03/2015 08:29, Martin Willi wrote:
> IKEv2 fragmentation is a protocol extension (RFC 7383), and AFAIK it is
> not supported in the Windows client. So you can't use it with these
> clients, but have to try to avoid messages larger than your MTU to get
> things working on such constrained networks.

I seem to keep running into exactly the same issues as other people at 
more or less the same time.  What a co-incidence! I was looking into 
this late last night; here are my thoughts.

I have Windows Phone 8.1 working nicely against strongSwan over wired 
networks and WiFi.  but over 3G/HSDPA mobile data networks the same 
working connection doesn't work. It fails in the ikev2 auth. A 1500 byte 
packet is sent but is retransmitted many times before finally failing. 
tcpdump shows flags [+] indicating fragmentation (offset is 0). I can 
provide packet dumps on request if helpful. So something in the path 
doesn't like the fragmentation.

I wanted to look into path MTU being the culprit but I wasn't able to 
detect the lowest MTU in the path since the mobile device is firewalled 
by the network operator. People also do block UDP fragments, so I looked 
into trying to preload the certificates to minimise data size in the 
exchange. This didn't work. Presumably the WP always requests the vpn 
cert? Setting sendleftcert=never breaks the connection in any case. So I 
then looked into the fragmentation=yes feature. It didn't work, or 
rather I couldn't get it to work and packet captures showed the messages 
were STILL being fragmented despite me setting strongSwan fragment_size. 
I had a think about how this feature might work, and it dawned on me 
that this feature would have to be supported at both endpoints for 
reassembly at the other end (it was late!).  Reading the relevant 
section in the RFC confirmed this. Obviously there's no Microsoft 
documentation about whether or not this feature is supported in their 
VPN Reconnect client; but it appears not. Shame there's no strongSwan 
app in the Windows Store ;-)

More information about the Users mailing list