Hi, here are five patches to enable ikev1 fragmentation support for Windows peers. These patches are useful for Windows users who have to live with a broken router or firewall dropping IP fragments.
The patches were tested with Windows XP and Windows 7 peers. I found no way to drop incoming or outgoing IP fragments with linux connection tracking enabled, so I used iptables -t filter -I INPUT -s 192.168.0.1 -p udp -m u32 --u32 '0 & 0xFFFF = 1493:65535' -j DROP iptables -t filter -I OUTPUT -d 192.168.0.1 -p udp -m u32 --u32 '0 & 0xFFFF = 1493:65535' -j DROP on gateway sun as a rough equivalent for a broken router in a setup like this one. http://www.strongswan.org/uml/testresults/ikev1/nat-rw To enable fragmentation support with Windows 7 peers it's necessary to use fragmentation=onlycerts. For Windows XP fragmentation=onlycerts or fragmentation=yes works. Comments or suggestions are always welcome. Regards, Volker _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
