[strongSwan] using 500/tcp

Tobias Brunner tobias at strongswan.org
Fri Jul 22 12:59:45 CEST 2016 

Hi Harald,

>>> AFAIU defragmentation is enabled in strongswan for incoming packages,
>>> anyway.
>>
>> That's basically for IKEv1 where the first message may already be
>> fragmented and for misbehaving peers that send fragmented packets even
>> if it wasn't enabled explicitly.  It does not mean that the notify to
>> enable fragmentation is actually sent.  That's only the case if
>> `fragmentation` is enabled.
>>
> 
> If the package to send is too large, what choice does a peer
> initiating the connection have?

Then normal IP fragmentation will be used, which would work fine except
there are some ISPs/routers/firewalls that drop IP fragments.  And PMTUD
might also not work properly because ICMPs might be dropped by the same
intermediaries.  And as seen here even with PMTUD working there could be
problems if messages are not resent.

>> Interestingly, the capture does not show any retransmits and only one
>> IKE_AUTH request on the second try (the last small message).  Since that
>> message has still the same size I guess the IKE daemon did not adjust
>> the fragment size but that the messages were just fragmented on the IP
>> layer.  Anyway, it shows responses by strongSwan, so the messages
>> apparently came through.  It also shows that strongSwan correctly
>> fragments its response to a maximum size of 1280 for the complete IP
>> packet (the 8 byte difference to that theoretical maximum is due to the
>> 16-byte blocksize):
>>
> 
> Now I see. The "fragmentation" option is about fragmentation on
> IKEv2 level.

Yes, this has nothing to do with IP fragments.

>> So I guess you could also just start the connection, then manually
>> disconnect (about when you are sure the IKE_AUTH requests were sent) and
>> then connect again.
>>
> 
> Sure. But since this is understood now I have configured a higher
> MTU for the IPv6 tunnel on sixxs.net, as described on their web pages.
> Its not deeply verified yet, but the delay for IKEv2 over the IPv6
> tunnel is gone.
> 
> Of course I had created a bug report on https://bugreport.apple.com/ .

OK, great.

Regards,
Tobias

More information about the Users mailing list