[Openswan Users] Re: [strongSwan] fragmentation in *swan implementations

Norbert Wegener nw at sbs.de
Thu Feb 17 20:23:31 CET 2005 

Hello Andreas,
the mtu size of the gateways network interface is 1500. Therefore I 
think, there will be two seperate datagrams leaving the gateway.
Sniffing at the client's end will probably be difficult. I will ask 
them, whether they are willing to do so.   Due to the time lag between 
here and Singapore and the fact that the users there have to do it after 
work at home it will take some time. Nevertheless I will try to convince 
them.
Thanks and best regards
Norbert

Andreas Steffen wrote:

> Hi Norbert,
>
> I'm not aware that *swan does any IP fragmentation on its own for
> IKE datagrams. It would be interesting to know if the 1580 byte datagram
> leaves the the gateways in one piece or already as two separate IP 
> fragments.
> It would also helpful to know if the one or both fragments arrive at the
> XPclient.  Running a network sniffer on both the client and the gateway
> will shed some light on this matter.
>
> Regards
>
> Andreas
>
> Norbert Wegener wrote:
>
>> A user of one of our customers in Singapore could not connect to a 
>> local *swan gateway, but could connect to a gateway in Germany, which 
>> is configured identically.
>> He uses certificates for authentication.
>> Looking at the oakley logfile on the user's windows xp pc,
>> it turned out, that the Singapore gateway sent messages, that were 
>> not received by the user located in Singapore. The corresponding 
>> pluto log entry is the following:
>> sending 1580 bytes for STATE_MAIN_R2 through eth1
>> When the German gateway sent packets exactly of the same size, they 
>> were received. This mysterious behaviour could be cirumvented by 
>> reducing the size of
>> the server's certificate as proposed a few times long ago on the lists.
>> I suppose,that a packet was dropped, that must not have been fragmented.
>> My question is: Is it a design decision within *swan, that some 
>> packets must not be fragmented? If so, why and can this be redesigned?
>> Or is this a principle behaviour with all ipsec implementations?
>> Thanks
>> Norbert
>
>
> =======================================================================
> Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
> strongSec GmbH                    home:   http://www.strongsec.com
> Alter Zürichweg 20                phone:  +41 1 730 80 64
> CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
> ==========================================[strong internet security]===

More information about the Users mailing list