[strongSwan] using 500/tcp

Harald Dunkel harri at afaics.de
Sat Jul 16 22:32:43 CEST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi folks,

I am using IPv6 over IPv4 at home (via sixxs.net). No NAT.

Problem: The mtu of this tunnel is less than 1500. On the
first run IKEv2 on my Mac fails with icmp6 "Packet Too Big".
Since the protocol is udp there is no packet to fragment and
resend, which means a 10 seconds delay until a higher network
layer wakes up and tries to authenticate again. Then it works.

Looking at this I wonder if it is reasonable to ignore 500/tcp
for Strongswan?

Of course I saw https://wiki.strongswan.org/issues/830, but
IMHO the fragment feature in strongsan doesn't really help in
this case. The "Packet Too Big" is returned by the IPv6 tunnel.
Strongswan on the peer did not see any incoming packet to
defragment yet.


Every helpful comment is highly appreciated
Harri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXipnrAAoJEAqeKp5m04HLRXYIAJat8BC7XiQPY4jhCbL0oc3p
JN8w7vJE1s5JvtHN49RqwJUqjdd28F1AIXbxznlJI73WoAkY3UIXmw3jfOsIBO9v
F0vp0dvNblgpLzu4JtTvWYZK/R8m7ox5hyV+82Qq53bx5T6XZUx46iUnBaZ18utD
DUuL5d38rSSAQ55zev6/JVXFRJPWCyCBX2TPISHlKbEyrffTPe6YJ1TGaRi1jmj1
BRxSnX7PuQDba1iq3N79AD5LZ1vpUFRHiSO9GNaaz+1okiAFfGldW8XXvslK2nRw
9Zq17fkW4lUgT/54NskAGNK2muWAyh6wly0aPHhZ5p68gC/oZpT1t3qnOB3P/hE=
=S4lC
-----END PGP SIGNATURE-----


More information about the Users mailing list