Re: [strongSwan] Timeout on poor connection

Sat, 30 Sep 2017 10:38:20 -0700 

Could you post your (redacted) strongswan config Anvar?

> On 30 Sep 2017, at 00:59, Anvar Kuchkartaev <[email protected]> wrote:
> 
> I also have some clients connecting from central Asia where internet is very 
> poor and restricted. The main optimizations must be done at the server os and 
> firewall not in strongswan. In strongswan try to authenticate server with 
> 2048 bit certificate or higher and watch out IKE ciphers, dos_protection, 
> ikesa_table_size, ikesa_table_segments, ikesa_hashtable_size parameters. 
> Allow only IKEv2 if possible and decrease dpd requests and set 
> dpdaction=restart to restart connection automatically if tunnel fails. From 
> operating system watch out mtu changes because in my case I had a lot of mtu 
> decreases within the provider network in the region client located. Allow 
> icmp fragmentation needed requests from firewall and make tcpmss 
> optimizations. It is also recommended to install proxy server behind VPN 
> server which only possible to connect within the VPN tunnel (so client could 
> configure it's browser to proxy server to enhance connection stability).
> 
> Anvar Kuchkartaev 
> [email protected] 
>   Original Message  
> From: Jamie Stuart
> Sent: viernes, 29 de septiembre de 2017 05:59 p.m.
> To: [email protected]
> Subject: [strongSwan] Timeout on poor connection
> 
> 
> Hi,
> 
> We have client (running on LEDE) connecting to a server (Ubuntu). The client 
> is connecting from rural Africa of 2G/3G with high latency and low speed.
> Often, the connection does not come up, timing out after 5 retracts like the 
> log below:
> 
> 
> ipsec up {connection}
> initiating IKE_SA {connection}[2] to {serverip}
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_S_IP) 
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)]
> sending packet: from {clientip}[500] to {serverip}[500] (378 bytes)
> retransmit 1 of request with message ID 0
> sending packet: from {clientip}[500] to {serverip}[500] (378 bytes)
> retransmit 2 of request with message ID 0
> sending packet: from {clientip}[500] to {serverip}[500] (378 bytes)
> retransmit 3 of request with message ID 0
> sending packet: from {clientip}[500] to {serverip}[500] (378 bytes)
> 
> 
> Is there anything more we can do to make the connection 1) establish more 
> reliably 2) remain ’up’ even over a power quality connection (using MOBIKE 
> already)
> 
> 
> Thanks in advance!
> 
> Jamie, onebillion
>

Reply via email to