On 26/05/16 15:49, Tom Robinson wrote: > I've analysed the packets for both connections (remember; one connection is > old and works and the > other is new and fails). > > On the old connection the IKE_AUTH packet from the client gets fragmented > into three and then > reassembled. It's 3296 bytes on reassembly. The server responds with IKE_AUTH > and the connection > comes up without any further fragmentation. At this stage I see lots of ESP > packets coming to and fro. > > On the new connection the IKE_AUTH progresses in the same way as for the old > connection (packet from > the client gets fragmented into three and then reassembled. It's also 3296 > bytes). The server > responds with IKE_AUTH four times but the client seems to ignore it and > resends another IKE_AUTH > packet instead. This packet gets fragmented as before. After packet > reassembly, the server then > responds with IKE_SA_INIT. The client seems to ignore this again and resends > another fragmented > IKE_AUTH. The client gives up with "Error 809". >
I'm still stumped by this. Can someone please clarify the 'fragmentation' setting wrt 'a size larger than 576 bytes' (from the man page)? I have a number of ISAKMP (IKE_AUTH) packets received on the client that have been fragmented and apparently ignored. There are four packets, three of which are 568 bytes, the last being 512 bytes. They are not being reassembled (according to wireshark) on the client. All four packets have the "don't fragment" flag set. Is the 'fragmentation=force' setting missing these packets due to their small size?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
