[Openswan Users] Phase 1 hangs
Erich Titl
erich.titl at think.ch
Thu Aug 12 17:25:53 EDT 2010
Hi Paul
on 12.08.2010 18:36, Paul Wouters wrote:
> On Thu, 12 Aug 2010, Erich Titl wrote:
>
>> I have an OpenSwan installation with roughly 100 tunnels going. The
>> clients use certificates for authentication.
>>
>> Trying to ad another client using the same software and comparable
>> configuration gets a hang on Phase 1
>
>> 000 pubkey: 2048 RSA Key AwEAAcehC, has private key
>
> Do your other clients use a 2048 bit RSA key as well? That definitely
> causes
> IKE fragmentation, as such a big key won't fit in a single IKE packet.
Some do, some don't. A few years past I paid extra attention to generate
1024 bit keys as I observed fragmentation. Later some experiments showed
that 2048 bit keys were possible even with a pppoE based connection with
a payload of 1472 Bytes. I tried a certificate from a comparable set up,
but as you mention it now, yes it is DSL, but not pppoE. I will use the
same connection and certificate on a test system, which is not DSL.
As I don't have control of the network between the two nodes I cannot be
sure the packets do not pass through a segment with a very small packet
size. Does IKE not allow fragmentation at all and if so, does this imply
that certificate based connections are more exposed to such
fragmentation issues.
Is the FRAGMENTATION payload not supported by pluto? My pluto code is
fairly old and such an issue could speed up the willingness to update.
Thanks for the quick help
Erich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3409 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20100812/a221fef0/attachment.bin
More information about the Users
mailing list