I've had problems setting up IPsec sessions using certificates Basically, the IKEv2 packets are large UDP packets and they are fragmented
I believe that using ECDSA instead of RSA certificates reduces the size of these packets, but ECDSA is not universally supported. I'd like to understand whether Shorewall can and should support these fragmented UDP flows. I found a post from 3 December suggesting that IPv6 fragmentation is troublesome without a recent kernel so I'm just looking at IPv4 for now. Looking at the problem with tcpdump, I typically see UDP packets sent with 1644 bytes, slightly bigger than the MTU. Are there any specific rules or shorewall.conf settings that need to be added/tweaked to make this work? This was initially discussed on strongSwan-users: https://lists.strongswan.org/pipermail/users/2013-July/009434.html ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
