On 05/07/13 17:08, Tom Eastep wrote: > On 07/05/2013 02:55 AM, Daniel Pocock wrote: >> >> I've had problems setting up IPsec sessions using certificates >> >> Basically, the IKEv2 packets are large UDP packets and they are fragmented >> >> I believe that using ECDSA instead of RSA certificates reduces the size >> of these packets, but ECDSA is not universally supported. I'd like to >> understand whether Shorewall can and should support these fragmented UDP >> flows. >> >> I found a post from 3 December suggesting that IPv6 fragmentation is >> troublesome without a recent kernel so I'm just looking at IPv4 for now. >> >> Looking at the problem with tcpdump, I typically see UDP packets sent >> with 1644 bytes, slightly bigger than the MTU. >> >> Are there any specific rules or shorewall.conf settings that need to be >> added/tweaked to make this work? >> > > There is nothing in Shorewall having to do with over-sized UDP packets. >
The reply from strongSwan-users suggest that firewalls drop the second fragment: https://lists.strongswan.org/pipermail/users/2013-July/009434.html This is your comment that I found about IPv6 UDP fragmentation with netfilter: http://sourceforge.net/mailarchive/forum.php?thread_name=f1856b2e7fe64ea9a38c645f0c7e9ea1%40davenport.net.nz&forum_name=shorewall-users I realise these are not strictly Shorewall faults - but do additional rules need to be created to tolerate these fragments? Or just allowing a particular UDP port should be enough? There is no NAT or masquerading involved on the Shorewall machine (sometimes the VPN client is coming through NAT and the fragments could be lost at that firewall too) ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
