On Tue, 21 Oct 2014, Bob Miller wrote:
Turned out this was the correct path to a fix, but I didn't see it till I did a verbose tcpdump. The cert with 1024 bit key was still too big, so I made another cert with an 800 bit key, and that succeeded in connecting.
ugh...
I am curious as to how one identifies what is causing this. when I saw
Most likely an ISP on the path is filtering UDP fragments.
it in the tcpdump, it was giving an error like len mismatch: isakmp 1532/ip 1468 when I was using the 1024 key, which makes me think I am not receiving fragmented packets. Yet when I set the tablet as a hotspot and connect with a windows machine through it, I can connect with a 4096 bit cert, and when connecting with the tablet through a non-lte network, the 4096 key works on the tablet too, so surely things are fragmenting? so is this problem a function of the tablet, the firewall, or something in between?
It might be that those IKE clients support FRAGMENTATION, so libreswan can detect the missing response and retry using smaller IKE packets. You should see this in the pluto logs. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
