[strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengths
Олег Пруц
olegp04728 at gmail.com
Thu Sep 28 09:09:05 CEST 2017
Ok, I just created a new ec2 instance, generated a new server certificate
and set up strongswan so let's say the authentication problem is solved.
There is still original problem: I cannot establish connection due to
fragmentation filtering and when I add 'fragmentation=yes' in conn %default
section, strongswan does not seem to notice it, which can be seen from the
logs after I run 'sudo ipsec restart':
Sep 28 06:43:53 ******** charon: 11[CFG] received stroke: add connection
'IPSec-IKEv2'
Sep 28 06:43:53 ******** charon: 11[CFG] conn IPSec-IKEv2
Sep 28 06:43:53 ******** charon: 11[CFG] left=%any
Sep 28 06:43:53 ******** charon: 11[CFG] leftsubnet=0.0.0.0/0
Sep 28 06:43:53 ******** charon: 11[CFG] leftcert=server2Cert.pem
Sep 28 06:43:53 ******** charon: 11[CFG] right=%any
Sep 28 06:43:53 ******** charon: 11[CFG] rightsourceip=172.16.16.0/24
Sep 28 06:43:53 ******** charon: 11[CFG]
rightdns=31.3.135.232,87.98.175.85
Sep 28 06:43:53 ******** charon: 11[CFG]
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes25$
-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp$
024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
Sep 28 06:43:53 ******** charon: 11[CFG]
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1$
modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,a$
s256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-$
odp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
Sep 28 06:43:53 ******** charon: 11[CFG] dpddelay=300
Sep 28 06:43:53 ******** charon: 11[CFG] dpdtimeout=150
Sep 28 06:43:53 ******** charon: 11[CFG] dpdaction=1
Sep 28 06:43:53 ******** charon: 11[CFG] mediation=no
Sep 28 06:43:53 ******** charon: 11[CFG] keyexchange=ikev2
Sep 28 06:43:53 ******** charon: 11[CFG] adding virtual IP address pool
172.16.16.0/24
Sep 28 06:43:53 ******** charon: 11[CFG] loaded certificate "******" from
'server2Cert.pem'
Sep 28 06:43:53 ******** charon: 11[CFG] id '%any' not confirmed by
certificate, defaulting to '******'
Sep 28 06:43:53 ******** charon: 11[CFG] added configuration 'IPSec-IKEv2'
Sep 28 06:43:53 ******** charon: 13[CFG] received stroke: add connection
'IPSec-IKEv2-EAP'
Sep 28 06:43:53 ******** charon: 13[CFG] conn IPSec-IKEv2-EAP
Sep 28 06:43:53 ******** charon: 13[CFG] left=%any
Sep 28 06:43:53 ******** charon: 13[CFG] leftsubnet=0.0.0.0/0
Sep 28 06:43:53 ******** charon: 13[CFG] leftcert=server2Cert.pem
Sep 28 06:43:53 ******** charon: 13[CFG] right=%any
Sep 28 06:43:53 ******** charon: 13[CFG] rightsourceip=172.16.16.0/24
Sep 28 06:43:53 ******** charon: 13[CFG]
rightdns=31.3.135.232,87.98.175.85
Sep 28 06:43:53 ******** charon: 13[CFG] rightauth=eap-mschapv2
Sep 28 06:43:53 ******** charon: 13[CFG] eap_identity=%any
Sep 28 06:43:53 ******** charon: 13[CFG]
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256
-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1
024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
Sep 28 06:43:53 ******** charon: 13[CFG]
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-
modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,ae
s256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-m
odp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
Sep 28 06:43:53 ******** charon: 13[CFG] dpddelay=300
Sep 28 06:43:53 ******** charon: 13[CFG] dpdtimeout=150
Sep 28 06:43:53 ******** charon: 13[CFG] dpdaction=1
Sep 28 06:43:53 ******** charon: 13[CFG] mediation=no
Sep 28 06:43:53 ******** charon: 13[CFG] keyexchange=ikev2
Sep 28 06:43:53 ******** charon: 13[CFG] reusing virtual IP address pool
172.16.16.0/24
Sep 28 06:43:53 ******** charon: 13[CFG] loaded certificate "******" from
'server2Cert.pem'
Sep 28 06:43:53 ******** charon: 13[CFG] id '%any' not confirmed by
certificate, defaulting to '******'
Sep 28 06:43:53 ******** charon: 13[CFG] added configuration
'IPSec-IKEv2-EAP'
Sep 28 06:43:53 ******** charon: 14[CFG] received stroke: add connection
'CiscoIPSec'
Sep 28 06:43:53 ******** charon: 14[CFG] conn CiscoIPSec
Sep 28 06:43:53 ******** charon: 14[CFG] left=%any
Sep 28 06:43:53 ******** charon: 14[CFG] leftsubnet=0.0.0.0/0
Sep 28 06:43:53 ******** charon: 14[CFG] leftcert=server2Cert.pem
Sep 28 06:43:53 ******** charon: 14[CFG] right=%any
Sep 28 06:43:53 ******** charon: 14[CFG] rightsourceip=172.16.16.0/24
Sep 28 06:43:53 ******** charon: 14[CFG]
rightdns=31.3.135.232,87.98.175.85
Sep 28 06:43:53 ******** charon: 14[CFG] rightauth=pubkey
Sep 28 06:43:53 ******** charon: 14[CFG] rightauth2=xauth
Sep 28 06:43:53 ******** charon: 14[CFG]
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256
-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1
024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
Sep 28 06:43:53 ******** charon: 14[CFG]
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-
modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,ae
s256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-m
odp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
Sep 28 06:43:53 ******** charon: 14[CFG] dpddelay=300
Sep 28 06:43:53 ******** charon: 14[CFG] dpdtimeout=150
Sep 28 06:43:53 ******** charon: 14[CFG] dpdaction=1
Sep 28 06:43:53 ******** charon: 14[CFG] mediation=no
Sep 28 06:43:53 ******** charon: 14[CFG] keyexchange=ikev1
Sep 28 06:43:53 ******** charon: 14[CFG] reusing virtual IP address pool
172.16.16.0/24
Sep 28 06:43:53 ******** charon: 14[CFG] loaded certificate "******" from
'server2Cert.pem'
Sep 28 06:43:53 ******** charon: 14[CFG] id '%any' not confirmed by
certificate, defaulting to '******'
Sep 28 06:43:53 ******** charon: 14[CFG] added configuration 'CiscoIPSec'
In case it matters, I used this guide for setup:
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
My strongSwan version:
Linux strongSwan U5.3.5/K4.4.0-1022-aws
2017-09-27 3:17 GMT+03:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting>:
> Hi,
>
> UDP packets can not be fragmented on the transport layer. UDP packets
> represent a complete datagram, not a byte stream like TCP. Fragmentation
> needs to be implemented on the application layer, which is what charon
> supports with IKEv1 and IKEv2 fragmentation, configurable with
> fragmentation=yes, which enables support for it. It is used, if the remote
> peer indicates support for it as well.
>
> Yes, the problem is caused by your new ISP (or some other hop to the other
> peer) dropping IP fragments.
>
> Kind regards
>
> Noel
>
> On 23.09.2017 18:46, Anvar Kuchkartaev wrote:
> > You can use fragmentation=yes option in your server side configuration
> file and authentication request/responce will be fragmented before forming
> ip packets.
> >
> > Anvar Kuchkartaev
> > anvar at anvartay.com
> > *From: *Олег Пруц
> > *Sent: *sábado, 23 de septiembre de 2017 05:09 p.m.
> > *To: *users at lists.strongswan.org
> > *Subject: *[strongSwan] Cannot connect to IPsec gateway in a roadwarrior
> scenario because of large packet lengths
> >
> >
> > Hello strongSwan team,
> >
> > Thank you for your great job. You are enabling user privacy and internet
> freedom for people really concerned with this. As for me, this is my use
> case: I purchased AWS instance with Ubuntu 16.04.2 and installed strongSwan
> on it, so I was successfully connecting from my home computer to it and was
> able to bypass restrictions.
> >
> > However, as I have to use another network now, the connection is not
> establishing anymore. I did IP packet captures both on the server and on my
> machine and found out that the server fragments packets and sends packets
> with size larger than my MTU during key exchange. I set server MTU to be
> 1000, but fragmentation is still there, and fragmented packets do not pass
> to my machine. It seems to be an issue with my new ISP which does not
> handle fragmented packets.
> >
> > I can supply the captures if necessary.
> >
> > Regards,
> > Oleg Prutz
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170928/da5b3e4f/attachment.html>
More information about the Users
mailing list