[strongSwan] using 500/tcp

Harald Dunkel harald.dunkel at aixigo.de
Fri Jul 22 09:09:30 CEST 2016

Hi Tobias,

On 07/21/16 11:24, Tobias Brunner wrote:
> Hi Harald,
>> AFAIU defragmentation is enabled in strongswan for incoming packages,
>> anyway.
> That's basically for IKEv1 where the first message may already be
> fragmented and for misbehaving peers that send fragmented packets even
> if it wasn't enabled explicitly.  It does not mean that the notify to
> enable fragmentation is actually sent.  That's only the case if
> `fragmentation` is enabled.

If the package to send is too large, what choice does a peer
initiating the connection have?

> Interestingly, the capture does not show any retransmits and only one
> IKE_AUTH request on the second try (the last small message).  Since that
> message has still the same size I guess the IKE daemon did not adjust
> the fragment size but that the messages were just fragmented on the IP
> layer.  Anyway, it shows responses by strongSwan, so the messages
> apparently came through.  It also shows that strongSwan correctly
> fragments its response to a maximum size of 1280 for the complete IP
> packet (the 8 byte difference to that theoretical maximum is due to the
> 16-byte blocksize):

Now I see. The "fragmentation" option is about fragmentation on
IKEv2 level.

> So I guess you could also just start the connection, then manually
> disconnect (about when you are sure the IKE_AUTH requests were sent) and
> then connect again.

Sure. But since this is understood now I have configured a higher
MTU for the IPv6 tunnel on sixxs.net, as described on their web pages.
Its not deeply verified yet, but the delay for IKEv2 over the IPv6
tunnel is gone.

Of course I had created a bug report on https://bugreport.apple.com/ .

Thanx very much

More information about the Users mailing list