[Openswan Users] Phase 1 hangs

Erich Titl erich.titl at think.ch
Fri Aug 13 03:48:32 EDT 2010

Hi Paul

at 12.08.2010 18:36, Paul Wouters wrote:
> On Thu, 12 Aug 2010, Erich Titl wrote:
>> I have an OpenSwan installation with roughly 100 tunnels going. The
>> clients use certificates for authentication.
>> Trying to ad another client using the same software and comparable
>> configuration gets a hang on Phase 1
>> 000        pubkey:   2048 RSA Key AwEAAcehC, has private key
> Do your other clients use a 2048 bit RSA key as well? That definitely
> causes
> IKE fragmentation, as such a big key won't fit in a single IKE packet.

I have verified the IKE fragmentation issue, indeed the packet gets
fragmented. What puzzles me is that the same setup, also with a
fragmented packet makes it from another system, although not over ppp.

Looking at the packets on the central host, it is obvious that the
fragmented packet from one site gets reassembled whereas the one from
the failing site does not even arrive. It looks like someone in the
middle drops the second packet.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3409 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20100813/b5d3dfec/attachment.bin 

More information about the Users mailing list