[Swan] android nat vs no-nat
Paul Wouters
paul at nohats.ca
Wed Oct 22 02:30:20 EEST 2014
On Tue, 21 Oct 2014, Bob Miller wrote:
> Turned out this was the correct path to a fix, but I didn't see it till
> I did a verbose tcpdump. The cert with 1024 bit key was still too big,
> so I made another cert with an 800 bit key, and that succeeded in
> connecting.
ugh...
> I am curious as to how one identifies what is causing this. when I saw
Most likely an ISP on the path is filtering UDP fragments.
> it in the tcpdump, it was giving an error like len mismatch: isakmp
> 1532/ip 1468 when I was using the 1024 key, which makes me think I am
> not receiving fragmented packets. Yet when I set the tablet as a
> hotspot and connect with a windows machine through it, I can connect
> with a 4096 bit cert, and when connecting with the tablet through a
> non-lte network, the 4096 key works on the tablet too, so surely things
> are fragmenting? so is this problem a function of the tablet, the
> firewall, or something in between?
It might be that those IKE clients support FRAGMENTATION, so libreswan
can detect the missing response and retry using smaller IKE packets.
You should see this in the pluto logs.
Paul
More information about the Swan
mailing list