I also have some clients connecting from central Asia where internet is very poor and restricted. The main optimizations must be done at the server os and firewall not in strongswan. In strongswan try to authenticate server with 2048 bit certificate or higher and watch out IKE ciphers, dos_protection, ikesa_table_size, ikesa_table_segments, ikesa_hashtable_size parameters. Allow only IKEv2 if possible and decrease dpd requests and set dpdaction=restart to restart connection automatically if tunnel fails. From operating system watch out mtu changes because in my case I had a lot of mtu decreases within the provider network in the region client located. Allow icmp fragmentation needed requests from firewall and make tcpmss optimizations. It is also recommended to install proxy server behind VPN server which only possible to connect within the VPN tunnel (so client could configure it's browser to proxy server to enhance connection stability).
Anvar Kuchkartaev [email protected] Original Message From: Jamie Stuart Sent: viernes, 29 de septiembre de 2017 05:59 p.m. To: [email protected] Subject: [strongSwan] Timeout on poor connection Hi, We have client (running on LEDE) connecting to a server (Ubuntu). The client is connecting from rural Africa of 2G/3G with high latency and low speed. Often, the connection does not come up, timing out after 5 retracts like the log below: ipsec up {connection} initiating IKE_SA {connection}[2] to {serverip} generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_S_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)] sending packet: from {clientip}[500] to {serverip}[500] (378 bytes) retransmit 1 of request with message ID 0 sending packet: from {clientip}[500] to {serverip}[500] (378 bytes) retransmit 2 of request with message ID 0 sending packet: from {clientip}[500] to {serverip}[500] (378 bytes) retransmit 3 of request with message ID 0 sending packet: from {clientip}[500] to {serverip}[500] (378 bytes) Is there anything more we can do to make the connection 1) establish more reliably 2) remain ’up’ even over a power quality connection (using MOBIKE already) Thanks in advance! Jamie, onebillion
