[Openswan Users] Re: [strongSwan] fragmentation in *swan implementations

Andreas Steffen andreas.steffen at strongsec.net
Thu Feb 17 16:47:45 CET 2005

Hi Norbert,

I'm not aware that *swan does any IP fragmentation on its own for
IKE datagrams. It would be interesting to know if the 1580 byte datagram
leaves the the gateways in one piece or already as two separate IP fragments.
It would also helpful to know if the one or both fragments arrive at the
XPclient.  Running a network sniffer on both the client and the gateway
will shed some light on this matter.



Norbert Wegener wrote:
> A user of one of our customers in Singapore could not connect to a local 
> *swan gateway, but could connect to a gateway in Germany, which is 
> configured identically.
> He uses certificates for authentication.
> Looking at the oakley logfile on the user's windows xp pc,
> it turned out, that the Singapore gateway sent messages, that were not 
> received by the user located in Singapore. The corresponding pluto log 
> entry is the following:
> sending 1580 bytes for STATE_MAIN_R2 through eth1
> When the German gateway sent packets exactly of the same size, they were 
> received. This mysterious behaviour could be cirumvented by reducing the 
> size of
> the server's certificate as proposed a few times long ago on the lists.
> I suppose,that a packet was dropped, that must not have been fragmented.
> My question is: Is it a design decision within *swan, that some packets 
> must not be fragmented? If so, why and can this be redesigned?
> Or is this a principle behaviour with all ipsec implementations?
> Thanks
> Norbert

Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list