[Openswan Users] fragmentation in *swan implementations
Norbert Wegener
nw at sbs.de
Thu Feb 17 12:43:56 CET 2005
A user of one of our customers in Singapore could not connect to a local
*swan gateway, but could connect to a gateway in Germany, which is
configured identically.
He uses certificates for authentication.
Looking at the oakley logfile on the user's windows xp pc,
it turned out, that the Singapore gateway sent messages, that were not
received by the user located in Singapore. The corresponding pluto log
entry is the following:
sending 1580 bytes for STATE_MAIN_R2 through eth1
When the German gateway sent packets exactly of the same size, they were
received. This mysterious behaviour could be cirumvented by reducing the
size of
the server's certificate as proposed a few times long ago on the lists.
I suppose,that a packet was dropped, that must not have been fragmented.
My question is: Is it a design decision within *swan, that some packets
must not be fragmented? If so, why and can this be redesigned?
Or is this a principle behaviour with all ipsec implementations?
Thanks
Norbert
More information about the Users
mailing list