On 12/03/2015 08:29, Martin Willi wrote:
IKEv2 fragmentation is a protocol extension (RFC 7383), and AFAIK it is not supported in the Windows client. So you can't use it with these clients, but have to try to avoid messages larger than your MTU to get things working on such constrained networks.
I seem to keep running into exactly the same issues as other people at more or less the same time. What a co-incidence! I was looking into this late last night; here are my thoughts.
I have Windows Phone 8.1 working nicely against strongSwan over wired networks and WiFi. but over 3G/HSDPA mobile data networks the same working connection doesn't work. It fails in the ikev2 auth. A 1500 byte packet is sent but is retransmitted many times before finally failing. tcpdump shows flags [+] indicating fragmentation (offset is 0). I can provide packet dumps on request if helpful. So something in the path doesn't like the fragmentation.
I wanted to look into path MTU being the culprit but I wasn't able to detect the lowest MTU in the path since the mobile device is firewalled by the network operator. People also do block UDP fragments, so I looked into trying to preload the certificates to minimise data size in the exchange. This didn't work. Presumably the WP always requests the vpn cert? Setting sendleftcert=never breaks the connection in any case. So I then looked into the fragmentation=yes feature. It didn't work, or rather I couldn't get it to work and packet captures showed the messages were STILL being fragmented despite me setting strongSwan fragment_size. I had a think about how this feature might work, and it dawned on me that this feature would have to be supported at both endpoints for reassembly at the other end (it was late!). Reading the relevant section in the RFC confirmed this. Obviously there's no Microsoft documentation about whether or not this feature is supported in their VPN Reconnect client; but it appears not. Shame there's no strongSwan app in the Windows Store ;-)
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
