[strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengths
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 27 01:28:47 CEST 2017
Hi,
Please verify the following:
- The certificate the initiator (Host using NetworkManager) sends to the responder (Host running strongSwan (your IPsec gateway)) has a SAN value that contains the ID the initiator sends or the ID is the DN
- The certificate the initiator sends is correctly signed by a trusted CA that is loaded into the daemon on the responder (verify this using `ipsec listcacerts` or `swanctl --list-authorities`, if you use swanctl)
Kind regards
Noel
On 26.09.2017 23:46, Олег Пруц wrote:
> Yes, I tried to put my client public key into /etc/ipsec.d/certs/, that did not help. Client OS: Xubuntu 14.04.5 3.13.0-129-generic, server OS: Ubuntu 16.04.2 4.4.0-1035-aws
>
> 2017-09-27 0:39 GMT+03:00 Anvar Kuchkartaev <anvar at anvartay.com <mailto:anvar at anvartay.com>>:
>
> In my case I am using strongswan in redhat environment which does not work with NetworkManager and I use intra organisation CA to sign certificates which verifies both server and client sites. I never tried to verify public key only. But you may try to add public key of server to strongswan global configuration directory (in redhat it is located on /etc/strongswan and certificate database of strongswan is in /etc/strongswan/ipsec.d/[certs][cacerts]) . May I ask what version of strongswan are you using and what is the server and client OS?
>
> Anvar Kuchkartaev
> anvar at anvartay.com <mailto:anvar at anvartay.com>
> *From: *Олег Пруц
> *Sent: *martes, 26 de septiembre de 2017 09:05 p.m.
> *To: *Anvar Kuchkartaev
> *Cc: *users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> *Subject: *Re: [strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengths
>
>
> Hello Anvar,
>
> I tried this and now I have this in syslog for some reason:
>
> charon: 14[IKE] no trusted RSA public key found for ...
>
> although my certificate and private key are specified in Network Manager on the client.
>
> Regards,
> Oleg Prutz
>
>
> 2017-09-23 19:46 GMT+03:00 Anvar Kuchkartaev <anvar at anvartay.com <mailto:anvar at anvartay.com>>:
>
> You can use fragmentation=yes option in your server side configuration file and authentication request/responce will be fragmented before forming ip packets.
>
> Anvar Kuchkartaev
> anvar at anvartay.com <mailto:anvar at anvartay.com>
> *From: *Олег Пруц
> *Sent: *sábado, 23 de septiembre de 2017 05:09 p.m.
> *To: *users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> *Subject: *[strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengths
>
>
> Hello strongSwan team,
>
> Thank you for your great job. You are enabling user privacy and internet freedom for people really concerned with this. As for me, this is my use case: I purchased AWS instance with Ubuntu 16.04.2 and installed strongSwan on it, so I was successfully connecting from my home computer to it and was able to bypass restrictions.
>
> However, as I have to use another network now, the connection is not establishing anymore. I did IP packet captures both on the server and on my machine and found out that the server fragments packets and sends packets with size larger than my MTU during key exchange. I set server MTU to be 1000, but fragmentation is still there, and fragmented packets do not pass to my machine. It seems to be an issue with my new ISP which does not handle fragmented packets.
>
> I can supply the captures if necessary.
>
> Regards,
> Oleg Prutz
>
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170927/f7530b41/attachment-0001.sig>
More information about the Users
mailing list