[strongSwan] [Strongswan-5.3.0] - Ikev2 fragmentation Question

Sriram sriram.ec at gmail.com
Fri Jul 29 12:48:21 CEST 2016


Hi Tobias,

Thanks for the reply.

I have set fragment_size = 1200 in strongswan.conf and fragmentation=yes in
the ipsec.conf in the client side . Even though it is 1200, ike packets
that are sent from the client are of the size 576. I have not changed the
configuration file, as the generation of the file is automated.

Later I found that there are some trailing characters at the end(shown in
bold below) which corrupted the strongswan.conf file.

charon {

        # number of worker threads in charon
        threads = 16

        close_ike_on_child_failure = yes
        retransmit_tries = 20
        retransmit_timeout = 20
        retransmit_base = 1
        fragment_size = 1200

        keep_alive = 20s
        # send strongswan vendor ID?
        # send_vendor_id = yes

        plugins {

                sql {
                        # loglevel to log into sql database
                        loglevel = -1
                        # URI to the database
                        # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost
/database
                }
                resolve{
                       file = /etc/resolvtunnel.conf
                }
        }
}

pluto {

}
libstrongswan {
        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
}



*o, the DH exponent size is optimized        #  dh_exponent_ansi_x9_42 =
no}*

So I think, since the strongswan file is not proper, charon would have
defaulted to 576. Please clarify.


Regards,
Sriram




On Fri, Jul 29, 2016 at 1:48 PM, Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Sriram,
>
> > But the concern is fragment size, though it is set as 1200,
> > fragment_size of 576 is seen in the wireshark.
>
> I'm assuming for packets sent by the gateway.  The fragment size is not
> negotiated, so the gateway might just default to the minimum datagram
> size a host must be able to accept, which is 576 for IPv4.
>
> If it is for packets sent by the client make sure the
> charon.fragment_size setting you configured is actually picked up (i.e.
> you edited the right file) and it does not get changed by e.g. an
> included config file.
>
> Regards,
> Tobias
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160729/d251fbac/attachment.html>


More information about the Users mailing list