[strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengths

Tue Sep 26 21:05:00 CEST 2017

Hello Anvar,

I tried this and now I have this in syslog for some reason:

charon: 14[IKE] no trusted RSA public key found for ...

although my certificate and private key are specified in Network Manager on
the client.

Regards,
Oleg Prutz

2017-09-23 19:46 GMT+03:00 Anvar Kuchkartaev <anvar at anvartay.com>:

> ‎You can use fragmentation=yes option in your server side configuration
> file and authentication request/responce will be fragmented before forming
> ip packets.
>
> Anvar Kuchkartaev
> anvar at anvartay.com
> *From: *Олег Пруц
> *Sent: *sábado, 23 de septiembre de 2017 05:09 p.m.
> *To: *users at lists.strongswan.org
> *Subject: *[strongSwan] Cannot connect to IPsec gateway in a roadwarrior
> scenario because of large packet lengths
>
> Hello strongSwan team,
>
> Thank you for your great job. You are enabling user privacy and internet
> freedom for people really concerned with this. As for me, this is my use
> case: I purchased AWS instance with Ubuntu 16.04.2 and installed strongSwan
> on it, so I was successfully connecting from my home computer to it and was
> able to bypass restrictions.
>
> However, as I have to use another network now, the connection is not
> establishing anymore. I did IP packet captures both on the server and on my
> machine and found out that the server fragments packets and sends packets
> with size larger than my MTU during key exchange. I set server MTU to be
> 1000, but fragmentation is still there, and fragmented packets do not pass
> to my machine. It seems to be an issue with my new ISP which does not
> handle fragmented packets.
>
> I can supply the captures if necessary.
>
> Regards,
> Oleg Prutz
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170926/9c8d193d/attachment.html>