Hi Paul, and thanks for looking. On 10/02/20 17:47, Paul Wouters wrote: > On Sun, 9 Feb 2020, John Crisp wrote: > >> All working perfectly and then suddenly it doesn't, and I don't get why.
>> Feb 8 17:53:16 efw ipsec: 07[ENC] generating IKE_AUTH request 1 [ IDi >> CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) >> N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ] >> Feb 8 17:53:16 efw ipsec: 07[NET] sending packet: from endian.ip[4500] >> to libre.ip[4500] (1504 bytes) > > Hmm why did it not use fragmentation? It sent 1504 bytes, so it might be > that the UDP packet got truncated to 1500 and the fragment of 4 bytes > was dropped by a firewall. > >> Feb 8 17:53:20 efw ipsec: 09[IKE] retransmit 1 of request with >> message ID 1 >> Feb 8 17:53:20 efw ipsec: 09[NET] sending packet: from endian.ip[4500] >> to libre.ip[4500] (1504 bytes) > >> 18:43:49.451604 IP (tos 0x20, ttl 53, id 10512, offset 0, flags [+], >> proto UDP (17), length 1492) >> endian.ip.4500 > libre.ip.4500: NONESP-encap: isakmp 2.0 msgid >> 00000001: child_sa ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1504/ip >> 1460) > > See "len mismatch" ? It seems your MTU is 1460 but your packet is 1504. > Strongswan should really be triggering fragmentation here. Try and look > into their documentation to confirm how to enable IKEv2 fragmentation. And funnily enough I was just responding to say I think the problem is with MTU :-) "I have static IPs on my ADSL lines, but these days according to the ISP they are really DHCP. So you get odd things like: IP address 80.58.10.27 Subnet mask 255.255.255.255 Gateway IP 192.168.144.1 Go figure.... I have a pair of Draytek ADSL routers in Private IP mode (a sort of bridge mode) back to a Endian Multi WAN router. Seems that they have a bit of a bunfight over the MTU required. The line is PPPoE so max 1492 Endian connects to Draytek via Ethernet and the ethernet ports defaults to 1500, but the we think the Draytek does something odd bridging the packets to the Endian box. The answer seems to be setting the Endian 'Connections' to MTU 1492 or less rather than the default 1500." I have added the fragmentation option to Endian as it appears the version supports it. Many thanks - confirmed what I had started I suspect. Back to my L2TPD/Ipsec/Android 10 struggles (at least the ipsec bit works perfectly there!) B Rgds John
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
