On 07/05/2013 02:55 AM, Daniel Pocock wrote: > > I've had problems setting up IPsec sessions using certificates > > Basically, the IKEv2 packets are large UDP packets and they are fragmented > > I believe that using ECDSA instead of RSA certificates reduces the size > of these packets, but ECDSA is not universally supported. I'd like to > understand whether Shorewall can and should support these fragmented UDP > flows. > > I found a post from 3 December suggesting that IPv6 fragmentation is > troublesome without a recent kernel so I'm just looking at IPv4 for now. > > Looking at the problem with tcpdump, I typically see UDP packets sent > with 1644 bytes, slightly bigger than the MTU. > > Are there any specific rules or shorewall.conf settings that need to be > added/tweaked to make this work? >
There is nothing in Shorewall having to do with over-sized UDP packets. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
