Hi Raoul,
So given that my tcpdump establishes that in the bad case the
ikev2_auth[I] arrives at the machine but the logs in strongswan do not
indicate that it was processed/received then what could be the issue
here? I believe I have ruled out iptables/firewall as a cause. So I
*think* the data does get there but why do the logs go quiet as if it
didn't get processed/handled?
I did notice in the good case that the IKE_AUTH request was 2380
bytes. Could this be a fragmentation thing? Could it be something
really subtle like a kernel problem? Seems unlikely - but how would I
ascertain this?
Can you give any suggestions on how I can debug this? Is there any
useful logging I can enable to get to the bottom of this?
most likely this is a fragmentation problem. To show it you also have to
capture the following fragments, not only the first fragment. Something
like this works.
root@bad-server:~# tcpdump -n -s 0 -v 'host my-client-ip'
If you do this on both sides it's possible to detect the dropped fragments.
Regards,
Volker
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
