[strongSwan] using 500/tcp

Tobias Brunner tobias at strongswan.org
Mon Jul 18 11:53:03 CEST 2016

Hi Harald,

> Problem: The mtu of this tunnel is less than 1500. On the
> first run IKEv2 on my Mac fails with icmp6 "Packet Too Big".
> Since the protocol is udp there is no packet to fragment and
> resend, which means a 10 seconds delay until a higher network
> layer wakes up and tries to authenticate again. Then it works.

Are you saying the first packet (IKE_SA_INIT) is already bigger than
your MTU?  Any IKE message sent later should be fragmented if you enable
IKE fragmentation.  And retransmits of the IKE_SA_INIT message should
also be fragmented, I guess, if an ICMP was returned (unless the route
cache or wherever Mac OS X stores the PMTU is not immediately updated).

> Looking at this I wonder if it is reasonable to ignore 500/tcp
> for Strongswan?

Until [1] is standardized this won't change (it also requires kernel
changes for ESP in TCP encapsulation).


[1] https://tools.ietf.org/html/draft-ietf-ipsecme-tcp-encaps

More information about the Users mailing list