[strongSwan] using 500/tcp
Tobias Brunner
tobias at strongswan.org
Mon Jul 18 11:53:03 CEST 2016
Hi Harald,
> Problem: The mtu of this tunnel is less than 1500. On the
> first run IKEv2 on my Mac fails with icmp6 "Packet Too Big".
> Since the protocol is udp there is no packet to fragment and
> resend, which means a 10 seconds delay until a higher network
> layer wakes up and tries to authenticate again. Then it works.
Are you saying the first packet (IKE_SA_INIT) is already bigger than
your MTU? Any IKE message sent later should be fragmented if you enable
IKE fragmentation. And retransmits of the IKE_SA_INIT message should
also be fragmented, I guess, if an ICMP was returned (unless the route
cache or wherever Mac OS X stores the PMTU is not immediately updated).
> Looking at this I wonder if it is reasonable to ignore 500/tcp
> for Strongswan?
Until [1] is standardized this won't change (it also requires kernel
changes for ESP in TCP encapsulation).
Regards,
Tobias
[1] https://tools.ietf.org/html/draft-ietf-ipsecme-tcp-encaps
More information about the Users
mailing list