[Openswan Users] fragmentation in *swan implementations

Norbert Wegener nw at sbs.de
Thu Feb 17 12:43:56 CET 2005

A user of one of our customers in Singapore could not connect to a local 
*swan gateway, but could connect to a gateway in Germany, which is 
configured identically.
He uses certificates for authentication.
Looking at the oakley logfile on the user's windows xp pc,
it turned out, that the Singapore gateway sent messages, that were not 
received by the user located in Singapore. The corresponding pluto log 
entry is the following:
sending 1580 bytes for STATE_MAIN_R2 through eth1
When the German gateway sent packets exactly of the same size, they were 
received. This mysterious behaviour could be cirumvented by reducing the 
size of
the server's certificate as proposed a few times long ago on the lists.
I suppose,that a packet was dropped, that must not have been fragmented.
My question is: Is it a design decision within *swan, that some packets 
must not be fragmented? If so, why and can this be redesigned?
Or is this a principle behaviour with all ipsec implementations?

More information about the Users mailing list