'[strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengt'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] Cannot connect to IPsec gateway in a roadwarrior scenario because of large packet lengt
From:       Олег Пруц <olegp04728 () gmail ! com>
Date:       2017-08-28 1:41:14
Message-ID: CAKsYAdHFDv83gduUH+Gzjg2scW8fh51NK+B0C+BJ+HeBtaW=YA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hello strongSwan team,

Thank you for your great job. You are enabling user privacy and internet
freedom for people really concerned with this. As for me, this is my use
case: I purchased AWS instance with Ubuntu 16.04.2 and installed strongSwan
on it, so I was successfully connecting from my home computer to it and was
able to bypass restrictions.
However, as I have to use another network now, the connection is not
establishing anymore. I did IP packet captures both on the server and on my
machine and found out that the server fragments packets and sends packets
with size larger than my MTU during key exchange. I set server MTU to be
1000, but fragmentation is still there, and fragmented packets do not pass
to my machine. It seems to be an issue with my new ISP which does not
handle fragmented packets. Here are the captures after setting smaller MTU
size.
I hope you will provide some hints.

Regards,
Oleg Prutz

[Attachment #5 (text/html)]

<div dir="ltr"><div class="gmail_default" style="font-size:small">Hello strongSwan \
team,</div><div class="gmail_default" style="font-size:small"><br></div><div \
class="gmail_default" style="font-size:small">Thank you for your great job. You are \
enabling user privacy and internet freedom for people really concerned with this. As \
for me, this is my use case: I purchased AWS instance with Ubuntu  16.04.2 and \
installed strongSwan on it, so I was successfully connecting from my home computer to \
it and was able to bypass restrictions.</div><div class="gmail_default" \
style="font-size:small">However, as I have to use another network now, the connection \
is not establishing anymore. I did IP packet captures both on the server and on my \
machine and found out that the server fragments packets and sends packets with size \
larger than my MTU during key exchange. I set server MTU to be 1000, but \
fragmentation is still there, and fragmented packets do not pass to my machine. It \
seems to be an issue with my new ISP which does not handle fragmented packets. Here \
are the captures after setting smaller MTU size.</div><div class="gmail_default" \
style="font-size:small">I hope you will provide some hints.</div><div \
class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" \
style="font-size:small"><div dir="ltr">Regards,<div>Oleg Prutz</div></div> \
<br></div></div>


["client.png" (image/png)]
["server.png" (image/png)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic