> Hello Volker, > >> This packet was a large packet and was sent as two UDP fragments. One or >> possibly both fragments were >> dropped on the route to the other side. > Is it possible to handle the packets fragmentation to fix the problem? > Unfortunately, the real world situation is such that in the majority of cases > it is impossible to intervene on the intermediate router (provider's setup, > hot spots etc). > Initially this was the reason that we started to store the certificated > locally on each side. Otherwise even initial IKE handshake was unsuccessful. > >> I can see this is still your setup with the NAT router. >> you should try to fix the router. > There is no possibility to do that. > > Looking forward to your thoughts and wish you a Happy New Year! > Regards, > Serge > >
Hello Serge, for a fixed site to site tunnel I would complain to my provider, as I pay for the service and they have to fix the router if it's broken. I agree this is not a real option for the road warrior case. I only have some limited experience with Windows road warriors. If ikev2 VPN doesn't work, it's possible to switch back to ikev1 ipsec/l2tp VPN. The proprietary ikev1 fragmentation extension (http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection and search for fragmentation) allows to build up the tunnel and if you select a small enough MTU/MRU in the ppp setup, the data packets don't get fragmented. You can do the same. I have to admit this is a ugly solution, but it works. I wish you a Happy New Year, Volker _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
