[strongSwan] Unable to establish VPN tunnel from China (Strongswan IKEv2)

Tianjie Mao tjmao at tjmao.net
Thu Oct 13 13:35:01 CEST 2016


From my personal experience it looks like the other party did not send back a certificate as requested by this host, or the packet got lost on the network. IKE packets can be as large as 3,000 bytes, and China's Internet is known to have Path MTU "black holes" [1].

Please try ECDSA certificates (instead of the usual RSA) in addition to ECDH cipher suites to reduce datagram size if this is an option for you.

Tianjie Mao

1) https://en.wikipedia.org/wiki/Path_MTU_Discovery#Problems

> On 13 Oct 2016, at 19:01, Oliver Söder <osoeder at gmx.de> wrote:
> Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] sending cert request for "C=DE, O=Eugenia Raff, CN=strongSwan Root CA"

More information about the Users mailing list