[strongSwan] Intermittent MTU issue

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jun 1 17:50:45 CEST 2018


>
> I'd also check that under no circumstances can the hosts exchange unencrypted traffic. This can happen for example if the tunnel goes down and there's nothing to block unencrypted traffic. "auto=route" is a good idea, as is blocking everything besides ESP with iptables.
If you do that, nothing will work, because decapsulated packets are subject to iptables rules, too.


On 01.06.2018 17:05, Phil Frost wrote:
> On Tue, May 29, 2018 at 12:05 PM Arzhel Younsi <arzhel at younsi.org <mailto:arzhel at younsi.org>> wrote:
>
>     How to troubleshoot it more?
>
>
> Another method is to capture the encrypted traffic normally, and then grab the encryption keys from the kernel and decrypt the traffic in Wireshark. The keys currently in use can be viewed with "ip xfrm state", or I believe if the "charondebug" setting in ipsec.conf is set with enough verbosity, the keys will get logged as they are exchanged via IKE.
>
> I would wonder how big these spikes are. It could be normal path discovery activity.
>
> I'd also check that under no circumstances can the hosts exchange unencrypted traffic. This can happen for example if the tunnel goes down and there's nothing to block unencrypted traffic. "auto=route" is a good idea, as is blocking everything besides ESP with iptables.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180601/55064751/attachment.sig>


More information about the Users mailing list