[strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengths

Tue Sep 26 23:46:25 CEST 2017

Yes, I tried to put my client public key into /etc/ipsec.d/certs/, that did
not help. Client OS: Xubuntu 14.04.5 3.13.0-129-generic, server OS: Ubuntu
16.04.2 4.4.0-1035-aws

2017-09-27 0:39 GMT+03:00 Anvar Kuchkartaev <anvar at anvartay.com>:

> In my case I am using strongswan in redhat environment which does not work
> with NetworkManager and I use intra organisation CA to sign certificates
> which verifies both server and client sites. I never tried to verify public
> key only. But you may try to add public key of server to strongswan global
> configuration directory (in redhat it is located on /etc/strongswan and
> certificate database of strongswan is in /etc/strongswan/ipsec.d/[certs][cacerts])
> . May I ask what version of strongswan are you using and what is the server
> and client OS?
>
> Anvar Kuchkartaev
> anvar at anvartay.com
> *From: *Олег Пруц
> *Sent: *martes, 26 de septiembre de 2017 09:05 p.m.
> *To: *Anvar Kuchkartaev
> *Cc: *users at lists.strongswan.org
> *Subject: *Re: [strongSwan] Cannot connect to IPsec gateway in a
> roadwarrior scenario because of large packet lengths
>
> Hello Anvar,
>
> I tried this and now I have this in syslog for some reason:
>
> charon: 14[IKE] no trusted RSA public key found for ...
>
> although my certificate and private key are specified in Network Manager
> on the client.
>
> Regards,
> Oleg Prutz
>
>
> 2017-09-23 19:46 GMT+03:00 Anvar Kuchkartaev <anvar at anvartay.com>:
>
>> ‎You can use fragmentation=yes option in your server side configuration
>> file and authentication request/responce will be fragmented before forming
>> ip packets.
>>
>> Anvar Kuchkartaev
>> anvar at anvartay.com
>> *From: *Олег Пруц
>> *Sent: *sábado, 23 de septiembre de 2017 05:09 p.m.
>> *To: *users at lists.strongswan.org
>> *Subject: *[strongSwan] Cannot connect to IPsec gateway in a roadwarrior
>> scenario because of large packet lengths
>>
>> Hello strongSwan team,
>>
>> Thank you for your great job. You are enabling user privacy and internet
>> freedom for people really concerned with this. As for me, this is my use
>> case: I purchased AWS instance with Ubuntu 16.04.2 and installed strongSwan
>> on it, so I was successfully connecting from my home computer to it and was
>> able to bypass restrictions.
>>
>> However, as I have to use another network now, the connection is not
>> establishing anymore. I did IP packet captures both on the server and on my
>> machine and found out that the server fragments packets and sends packets
>> with size larger than my MTU during key exchange. I set server MTU to be
>> 1000, but fragmentation is still there, and fragmented packets do not pass
>> to my machine. It seems to be an issue with my new ISP which does not
>> handle fragmented packets.
>>
>> I can supply the captures if necessary.
>>
>> Regards,
>> Oleg Prutz
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170927/9fc3ffef/attachment.html>