On 26/05/16 00:56, Paul Wouters wrote: > ESP and packet size should not be affected for IKE AUTH method. So that is > odd. > > The cert probably hits your mtu and is getting fragmented and possibly your > fragments are mistakenly dropped by a firewall. > > You can try setting fragmentation=force >
Without changing anything I tried to connect today. The Windows client is failing again with Error 809!! I set fragmentation=force. No change. I tried lower and lower settings for MSS but that experiment didn't help. :-\ Not sure what else I can do... > >> On May 25, 2016, at 02:32, Tom Robinson <[email protected]> wrote: >> >> On 25/05/16 16:22, Tom Robinson wrote: >>>> Below is a network trace of the Windows connection being established. >>>> Should I be worried about the >>>> Fragmentation? On the firewall I have clamped the MSS to 1400 for IPSEC >>>> tunnelling. >>>> >>>> 1 0.000000000 165.228.94.4 -> 115.70.189.242 ISAKMP 922 >>>> 2 0.001086847 115.70.189.242 -> 165.228.94.4 ISAKMP 339 >>>> 3 0.048702978 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP >>>> protocol (proto=UDP 17, >>>> off=0, ID=47b2) >>>> 4 0.061718266 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP >>>> protocol (proto=UDP 17, >>>> off=1368, ID=47b2) >>>> 5 0.066892052 165.228.94.4 -> 115.70.189.242 ISAKMP 594 >>>> 6 0.076894733 115.70.189.242 -> 165.228.94.4 IPv4 1514 Fragmented IP >>>> protocol (proto=UDP 17, >>>> off=0, ID=848d) >>>> 7 0.076953733 115.70.189.242 -> 165.228.94.4 ISAKMP 474 >>>> 8 1.048806004 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP >>>> protocol (proto=UDP 17, >>>> off=0, ID=47b3) >>>> 9 1.061378747 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP >>>> protocol (proto=UDP 17, >>>> off=1368, ID=47b3) >>>> 10 1.066515615 165.228.94.4 -> 115.70.189.242 ISAKMP 594 >>>> 11 1.066817202 115.70.189.242 -> 165.228.94.4 ISAKMP 343 >>>> 12 2.061653284 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP >>>> protocol (proto=UDP 17, >>>> off=0, ID=47b4) >>>> 13 2.074207523 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP >>>> protocol (proto=UDP 17, >>>> off=1368, ID=47b4) >>>> 14 2.079655604 165.228.94.4 -> 115.70.189.242 ISAKMP 594 >>>> 15 2.079883081 115.70.189.242 -> 165.228.94.4 ISAKMP 343 >>>> 16 14.955166129 115.70.189.242 -> 165.228.94.4 ISAKMP 106 >>>> 17 15.086739890 115.70.189.242 -> 165.228.94.4 ISAKMP 106 >>> >>> >>> On the firewall I've lowered the MSS to 1398 and it's working now. Why does >>> this connection needs >>> two extra bytes to be happy? It's actually traversing the same internet >>> link. >> >> I'm not really understanding what just happened. Although it's connecting >> now without error I'm >> still seeing fragmentation on VPN connection startup: >> >> 1 0.000000000 165.228.94.4 -> 115.70.189.242 ISAKMP 922 >> 2 0.001094248 115.70.189.242 -> 165.228.94.4 ISAKMP 339 >> 3 0.064956489 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP >> protocol (proto=UDP 17, >> off=0, ID=13c1) >> 4 0.078018322 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP >> protocol (proto=UDP 17, >> off=1368, ID=13c1) >> 5 0.083183106 165.228.94.4 -> 115.70.189.242 ISAKMP 594 >> 6 0.148332286 115.70.189.242 -> 165.228.94.4 IPv4 1514 Fragmented IP >> protocol (proto=UDP 17, >> off=0, ID=96ac) >> 7 0.148368257 115.70.189.242 -> 165.228.94.4 ISAKMP 474 >> 8 0.217055356 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869) >> 9 0.218572760 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869) >> 10 0.234054672 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869) >> 11 0.238590112 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869) >> 12 0.240755201 165.228.94.4 -> 115.70.189.242 ESP 158 ESP (SPI=0x8c512869) >> 13 0.245197092 165.228.94.4 -> 115.70.189.242 ESP 414 ESP (SPI=0x8c512869) >> >> From there it seems to be happy enough. Anyone have any clues about this? >> >> Kind regards, >> Tom >> >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
