It seems strongswan has actually shown regression. I bumped my machine to use 5.3.3 and do a test where strongswan initiates and we want fragmentation. It failed to send the notify payload. I then added fragmentation=yes and it still didn't sent the notify:
--- ./west.console.txt 2015-09-17 17:27:01.672530145 -0400 +++ OUTPUT/west.console.txt 2015-10-03 15:01:48.889730298 -0400 @@ -35,6 +35,7 @@ Loading conn 'westnet-eastnet-ikev2' authby=secret auto=add + fragmentation=yes keyexchange=ikev2 left=192.1.2.45 leftid=@west @@ -49,7 +50,7 @@ west # strongswan up westnet-eastnet-ikev2 initiating IKE_SA westnet-eastnet-ikev2[1] to 192.1.2.23 -generating IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] +generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ] sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes) received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) ] I have to dive into why this notification payload is no longer appearing.... But its not due to bad versions of strongswan, which I told people before.... Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
