[strongSwan] IKE2 4500 Reply Not Making it Out

Info infosec at quantum-equities.com
Fri Mar 23 21:25:29 CET 2018


On 03/23/2018 12:57 PM, Info wrote:
>
>>> Is there anything logged by the kernel in its ring buffer?
>>> And please add the route I previously mentioned. And stop using ifconfig, or generally the net-tools.
>>>
>>> Kind regards
>>>
>>> Noel
>>
> Looks like journalctl is more useful.  Apparently something was wrong
> with my prior charon.conf setup, so I've merged the two sections into one.
>
> Attached.
>
"[ENC] fragmented IKE message is too large"

My CA key and machine keys are generated with:

# strongswan pki --gen --type rsa --outform pem --size 16384 > /etc/pki/CA/private/{CAmachinename}-CAkey.pem
# strongswan pki --gen --type rsa --outform pem --size 16384 > /etc/pki/ipsec/private/{machineA}-Key.pem

... and Noel says that's ridiculous. But we all have our peculiar ways.
G**gle is baffled, but this may have something to do with MTU, which is
1500 on the eth0 interface. Cert sizes are ~6043 Bytes and for the CA
cert 6067. I once tried to set MTU to 9000, but the outside interface in
the LAN gateway refused anything higher than 1500 (DHCP), so that's a
problem. Idk whether this is the problem, and if so what to do about it?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180323/e4a29583/attachment.html>


More information about the Users mailing list