[Openswan Users] udp fragmented ike packet

Jacco de Leeuw jacco2 at dds.nl
Fri Dec 22 16:37:48 EST 2006

Marco Berizzi wrote:

>>tcpdump with on the machine itself doesn't provide entirely
>>reliable results with NETKEY.
> Why not?

There is no seperate interface for unencrypted packets, unlike KLIPS.
So you get a mix of encrypted and unencrypted packets with NETKEY.

>>As far as I know Openswan does not support IKE fragmentation.
> Ahh, I didn't know this...
> Is there a way to disable it in windows XPsp2?

Not that I know but you can work around the problem, for example by
reducing the size of the certificate or by switching to a PSK. But
these are probably not attractive options. Or you could eliminate the
(NAT) devices that don't support fragments. Or try the usual MTU
workarounds such as reducing the MTU on your external interface.

Alternatively, get some funding for the Openswan guys to implement
IKE fragementation. Or submit a patch yourself :-).

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list