[strongSwan] What the blankety-blank-blank is Win10 doing? :-)
Tobias Brunner
tobias at strongswan.org
Mon Jun 26 17:46:20 CEST 2017
Hi Karl,
> StrongSwan never gets this packet. I assume the problem here is the
> length mismatch, but not certain. What is certain is that StrongSwan
> never sees it; no matter how far up I turn the logging I never see any
> evidence of it being logged.
Sounds like an IP fragmentation issue (message is too large -> gets
fragmented -> fragments get dropped on the way to the server -> server
never sees the complete message). Unfortunately, you can't do much
about that on Windows if you want to use certificates as the built-in
client does not support IKEv2 fragmentation, ECDSA certificates (which
are significantly smaller than RSA certificates), or omit the client
certificate, and the certificate requests can't be controlled either
(since a Windows system has more and more CA certificates installed over
time that list gets longer and longer the older a system is). The only
option to reduce the size of the IKE_AUTH message is to use EAP
authentication with username/password.
Regards,
Tobias
More information about the Users
mailing list