[strongSwan] [Strongswan-5.3.0] - Ikev2 fragmentation Question
sriram.ec at gmail.com
Fri Jul 29 12:48:21 CEST 2016
Thanks for the reply.
I have set fragment_size = 1200 in strongswan.conf and fragmentation=yes in
the ipsec.conf in the client side . Even though it is 1200, ike packets
that are sent from the client are of the size 576. I have not changed the
configuration file, as the generation of the file is automated.
Later I found that there are some trailing characters at the end(shown in
bold below) which corrupted the strongswan.conf file.
# number of worker threads in charon
threads = 16
close_ike_on_child_failure = yes
retransmit_tries = 20
retransmit_timeout = 20
retransmit_base = 1
fragment_size = 1200
keep_alive = 20s
# send strongswan vendor ID?
# send_vendor_id = yes
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost
file = /etc/resolvtunnel.conf
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
*o, the DH exponent size is optimized # dh_exponent_ansi_x9_42 =
So I think, since the strongswan file is not proper, charon would have
defaulted to 576. Please clarify.
On Fri, Jul 29, 2016 at 1:48 PM, Tobias Brunner <tobias at strongswan.org>
> Hi Sriram,
> > But the concern is fragment size, though it is set as 1200,
> > fragment_size of 576 is seen in the wireshark.
> I'm assuming for packets sent by the gateway. The fragment size is not
> negotiated, so the gateway might just default to the minimum datagram
> size a host must be able to accept, which is 576 for IPv4.
> If it is for packets sent by the client make sure the
> charon.fragment_size setting you configured is actually picked up (i.e.
> you edited the right file) and it does not get changed by e.g. an
> included config file.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users