[Swan] Connection stops after STATE_PARENT_R1

John Crisp jcrisp at safeandsoundit.co.uk
Mon Feb 10 18:03:55 UTC 2020

Hi Paul, and thanks for looking.

On 10/02/20 17:47, Paul Wouters wrote:
> On Sun, 9 Feb 2020, John Crisp wrote:
>> All working perfectly and then suddenly it doesn't, and I don't get why.

>> Feb  8 17:53:16 efw ipsec: 07[ENC] generating IKE_AUTH request 1 [ IDi
>> Feb  8 17:53:16 efw ipsec: 07[NET] sending packet: from endian.ip[4500]
>> to libre.ip[4500] (1504 bytes)
> Hmm why did it not use fragmentation? It sent 1504 bytes, so it might be
> that the UDP packet got truncated to 1500 and the fragment of 4 bytes
> was dropped by a firewall.
>> Feb  8 17:53:20 efw ipsec: 09[IKE] retransmit 1 of request with
>> message ID 1
>> Feb  8 17:53:20 efw ipsec: 09[NET] sending packet: from endian.ip[4500]
>> to libre.ip[4500] (1504 bytes)
>> 18:43:49.451604 IP (tos 0x20, ttl 53, id 10512, offset 0, flags [+],
>> proto UDP (17), length 1492)
>>     endian.ip.4500 > libre.ip.4500: NONESP-encap: isakmp 2.0 msgid
>> 00000001: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1504/ip
>> 1460)
> See "len mismatch" ? It seems your MTU is 1460 but your packet is 1504.
> Strongswan should really be triggering fragmentation here. Try and look
> into their documentation to confirm how to enable IKEv2 fragmentation.

And funnily enough I was just responding to say I think the problem is
with MTU :-)

"I have static IPs on my ADSL lines, but these days according to the ISP
they are really DHCP. So you get odd things like:

IP address
Subnet mask
Gateway IP

Go figure....

I have a pair of Draytek ADSL routers in Private IP mode (a sort of
bridge mode) back to a Endian Multi WAN router.

Seems that they have a bit of a bunfight over the MTU required.

The line is PPPoE so max 1492

Endian connects to Draytek via Ethernet and the ethernet ports defaults
to 1500, but the we think the Draytek does something odd bridging the
packets to the Endian box.

The answer seems to be setting the Endian 'Connections' to MTU 1492 or
less rather than the default 1500."

I have added the fragmentation option to Endian as it appears the
version supports it.

Many thanks - confirmed what I had started I suspect.

Back to my L2TPD/Ipsec/Android 10 struggles (at least the ipsec bit
works perfectly there!)

B Rgds

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200210/a654662e/attachment.sig>

More information about the Swan mailing list