[strongSwan] udp packet size
Steffen Plotner
swplotner at amherst.edu
Mon Mar 16 14:49:03 CET 2015
Hi Fred,
> -----Original Message-----
> On 12/03/2015 02:35, Steffen Plotner wrote:
> > Hi,
> >
> > Strongswan 5.2.2 on linux (centos 6) IKEv2 configuration for windows
> clients I have the following problem:
> >
> > Initiator sends IKE_SA_INIT
> > Server responds with IKE_SA_INIT
> > Initiator sends IKE_AUTH
> > Server responds with a fragmented IP packet of 1514 bytes (the MTU is
> 1500 on the outgoing interface).
>
> Just an update. Using ECDSA means these large packets are no longer an
> issue. Perhaps RSA is preferred from a security point of view; I don't
> know. But certainly the smaller key footprint without having to reduce
> the RSA keysize or use a short DN is maybe a good solution.
I actually did try the ECSDA cert and saw that the packet sizes are small enough to not fragment, but the Windows 7 client does not understand it. It ends up just hanging the connection process. I found a reference about that here:
https://www.mail-archive.com/users@lists.strongswan.org/msg04603.html
Steffen
More information about the Users
mailing list