From my personal experience it looks like the other party did not send back a 
certificate as requested by this host, or the packet got lost on the network. 
IKE packets can be as large as 3,000 bytes, and China's Internet is known to 
have Path MTU "black holes" [1].

Please try ECDSA certificates (instead of the usual RSA) in addition to ECDH 
cipher suites to reduce datagram size if this is an option for you.

Tianjie Mao

1) https://en.wikipedia.org/wiki/Path_MTU_Discovery#Problems

> On 13 Oct 2016, at 19:01, Oliver Söder <osoe...@gmx.de> wrote:
> Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] sending cert 
> request for "C=DE, O=Eugenia Raff, CN=strongSwan Root CA"
Users mailing list

Reply via email to