[Openswan Users] Phase 1 hangs

Erich Titl erich.titl at think.ch
Thu Aug 12 17:25:53 EDT 2010

Hi Paul

on 12.08.2010 18:36, Paul Wouters wrote:
> On Thu, 12 Aug 2010, Erich Titl wrote:
>> I have an OpenSwan installation with roughly 100 tunnels going. The
>> clients use certificates for authentication.
>> Trying to ad another client using the same software and comparable
>> configuration gets a hang on Phase 1
>> 000 pubkey: 2048 RSA Key AwEAAcehC, has private key
> Do your other clients use a 2048 bit RSA key as well? That definitely
> causes
> IKE fragmentation, as such a big key won't fit in a single IKE packet.

Some do, some don't. A few years past I paid extra attention to generate 
1024 bit keys as I observed fragmentation. Later some experiments showed 
that 2048 bit keys were possible even with a pppoE based connection with 
a payload of 1472 Bytes. I tried a certificate from a comparable set up, 
but as you mention it now, yes it is DSL, but not pppoE. I will use the 
same connection and certificate on a test system, which is not DSL.

As I don't have control of the network between the two nodes I cannot be 
sure the packets do not pass through a segment with a very small packet 
size. Does IKE not allow fragmentation at all and if so, does this imply 
that certificate based  connections are more exposed to such 
fragmentation issues.

Is the FRAGMENTATION payload not supported by pluto? My pluto code is 
fairly old and such an issue could speed up the willingness to update.

Thanks for the quick help


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3409 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20100812/a221fef0/attachment.bin 

More information about the Users mailing list