Hi Fred, > -----Original Message----- > On 12/03/2015 02:35, Steffen Plotner wrote: > > Hi, > > > > Strongswan 5.2.2 on linux (centos 6) IKEv2 configuration for windows > clients I have the following problem: > > > > Initiator sends IKE_SA_INIT > > Server responds with IKE_SA_INIT > > Initiator sends IKE_AUTH > > Server responds with a fragmented IP packet of 1514 bytes (the MTU is > 1500 on the outgoing interface). > > Just an update. Using ECDSA means these large packets are no longer an > issue. Perhaps RSA is preferred from a security point of view; I don't > know. But certainly the smaller key footprint without having to reduce > the RSA keysize or use a short DN is maybe a good solution.
I actually did try the ECSDA cert and saw that the packet sizes are small enough to not fragment, but the Windows 7 client does not understand it. It ends up just hanging the connection process. I found a reference about that here: https://www.mail-archive.com/[email protected]/msg04603.html Steffen _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
