[strongSwan] Timeout on the first phase using RSA
abi
abi at abinet.ru
Fri May 22 18:13:26 CEST 2015
You are right - this is the network issue. I tried from another cell
operator and connection succeeded.
Looks like andoid's racoon is not supporting fragmentation for ikev1. I
switched to StrongSwan VPN for android and enabled ikev2. I've got 2
packets with fragmentation enabled, but one still with len mismatch (4
bytes difference!)
15:44:25.658799 IP (tos 0x48, ttl 54, id 26598, offset 0, flags [+],
proto UDP (17), length 1356)
host-106-158-66-217.spbmts.ru.26266 > xxxxxx.sae-urn: NONESP-encap:
isakmp 2.0 msgid 00000001 cookie 68c75642df85405f->764fda277f896169:
child_sa ikev2_auth[I]: [|#53] (len mismatch: isakmp 1360/ip 1324)
15:44:25.679637 IP (tos 0x48, ttl 54, id 0, offset 0, flags [DF], proto
UDP (17), length 672)
host-106-158-66-217.spbmts.ru.26266 > xxxxxx.sae-urn: [udp sum ok]
NONESP-encap: isakmp 2.0 msgid 00000001 cookie
68c75642df85405f->764fda277f896169: child_sa ikev2_auth[I]:
(#53)
On 22/05/2015 16:36, Tobias Brunner wrote:
> Hi,
>
>> Can you give me the tips - where is the root of the problem - server,
>> client or strongswan ?
> Some routers/firewalls may drop IP fragments. To avoid fragments on the
> IP layer you could try enabling IKE fragmentation with fragmentation=yes
> in your config.
>
> Regards,
> Tobias
>
More information about the Users
mailing list