[strongSwan] Strange issue with Windows 7 IKEv2

Fred curious_freddy at gmsl.co.uk
Tue Aug 23 20:29:53 CEST 2016

On 23/08/2016 16:49, Vukovics Mihaly wrote:
> Hello,
> there is a Strongswan roadwarrior configured to send fragmented ISAKMP
> packets to the clients. The client is behind NAT (Debian Jessie,
> IPTABLES). The fragmented UDP packets are reassembled on the gateway
> (internal LAN interface JUBMO packet enabled), and thus the Client
> cannot read the IKEv2 Auth answer.
> Is there any way to tell IPTABLES not to reassemble UDP packets, or give
> a smaller amount of MTU, like TCPMSS target?

There is a no fragment option in Strongswan or you can work around it
using Eliptic Curve Diffie-wotsits which have a smaller cert payload
size in the UDP packets.

More information about the Users mailing list