[strongSwan] Strange issue with Windows 7 IKEv2

Noel Kuntze noel at familie-kuntze.de
Tue Aug 23 21:19:58 CEST 2016

Hello Mihaly,

> there is a Strongswan roadwarrior configured to send fragmented ISAKMP packets to the clients. 

I guess you mean IKE fragmentation with this and not IP fragmentation.

> Is there any way to tell IPTABLES not to reassemble UDP packets, or give a smaller amount of MTU, like TCPMSS target?
No. That is done by nf_conntrack_defrag, which is a requirement for stateful firewalling and you can't unload that. It's a hard dependency of many kernel modules.
Anyway, netfilter was not, will not and was never aware of IKE fragmentation. It is only aware of IP fragmentation. Therefore the problem is not that that host reassembles anything,
because it can not reassemble IKE fragmented packets. IKE fragmentation happens on top of UDP. IP fragmentation happens (as the name implies) on IP layer. They are totall different things.

> The fragmented UDP packets are reassembled on the gateway (internal LAN interface JUBMO packet enabled), and thus the Client cannot read the IKEv2 Auth answer.
That is a wrong conclusion. The client can read fragmented and unfragmented IKE messages just fine, __if he gets all the fragments__. This has been and still is
a big issue with many ISPs and routers, because they drop IP fragments, which is obviously an issue for protocols, which need to rely
on IP fragmentation (Anything that is message oriented, e.g. UDP, ...), because they have no such thing built in (Contrary: TCP, SCTP, ... anything stream oriented).


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160823/53a71507/attachment.sig>

More information about the Users mailing list