[strongSwan] What the blankety-blank-blank is Win10 doing? :-)

Karl Denninger karl at denninger.net
Fri Jun 30 19:09:51 CEST 2017



On 6/26/2017 10:46, Tobias Brunner wrote:
> Hi Karl,
>
>> StrongSwan never gets this packet.  I assume the problem here is the
>> length mismatch, but not certain.  What is certain is that StrongSwan
>> never sees it; no matter how far up I turn the logging I never see any
>> evidence of it being logged.
> Sounds like an IP fragmentation issue (message is too large -> gets
> fragmented -> fragments get dropped on the way to the server -> server
> never sees the complete message).  Unfortunately, you can't do much
> about that on Windows if you want to use certificates as the built-in
> client does not support IKEv2 fragmentation, ECDSA certificates (which
> are significantly smaller than RSA certificates), or omit the client
> certificate, and the certificate requests can't be controlled either
> (since a Windows system has more and more CA certificates installed over
> time that list gets longer and longer the older a system is).  The only
> option to reduce the size of the IKE_AUTH message is to use EAP
> authentication with username/password.
>
> Regards,
> Tobias
I've been unable to get an ECDSA certificate to import on my Android
phone (BlackBerry DTEK60, Android 6.01) -- the same error occasionally
bites me on the phone too during initial negotiation *some* of the time
(looks like I got 3 fragments that have to be passed and one of them
gets dropped often enough that the initial keying fails, which has to
succeed before Ikev2 frag support helps.)

Is there a known list of ECDSA certificate parameters that are known to
work?  I can generate pretty-much anything using openssl but the two
attempts I made specifying the curve and including it in the cert both
failed to import (with no useful error message as to why on the phone
end, of course.)

And then on the Windows side is there another client known that properly
does IkeV2 fragmentation *with* ECDSA cert support?  That would give me
a nice consistent option for both phones and laptops (well, at least
Windows ones.)

Thanks in advance..

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170630/4ecbef70/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170630/4ecbef70/attachment.bin>


More information about the Users mailing list