[strongSwan] Intermittent MTU issue

Phil Frost phil at postmates.com
Fri Jun 1 17:05:15 CEST 2018


On Tue, May 29, 2018 at 12:05 PM Arzhel Younsi <arzhel at younsi.org> wrote:

> How to troubleshoot it more?
>

Another method is to capture the encrypted traffic normally, and then grab
the encryption keys from the kernel and decrypt the traffic in Wireshark.
The keys currently in use can be viewed with "ip xfrm state", or I believe
if the "charondebug" setting in ipsec.conf is set with enough verbosity,
the keys will get logged as they are exchanged via IKE.

I would wonder how big these spikes are. It could be normal path discovery
activity.

I'd also check that under no circumstances can the hosts exchange
unencrypted traffic. This can happen for example if the tunnel goes down
and there's nothing to block unencrypted traffic. "auto=route" is a good
idea, as is blocking everything besides ESP with iptables.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180601/a7b4fe2a/attachment.html>


More information about the Users mailing list