Date: Sun, 19 Nov 2017 21:33:44 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Karl Denninger <karl@denninger.net>, freebsd-net@freebsd.org Subject: Re: OpenVPN vs IPSec Message-ID: <5A119648.4080707@grosbein.net> In-Reply-To: <ae7baceb-0aa9-3c76-d3d0-8cad09b6dc42@denninger.net> References: <20171118165842.GA73810@admin.sibptus.transneft.ru> <b96b449e-3dc1-6e75-e803-e6d6abefe88e@spam-fetish.org> <20171119120832.GA82727@admin.sibptus.transneft.ru> <d92dff62-3baf-a22d-bfac-5a668b276259@spam-fetish.org> <5A11882D.1050700@quip.cz> <ae7baceb-0aa9-3c76-d3d0-8cad09b6dc42@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
19.11.2017 21:15, Karl Denninger wrote: > The reason is Windows. Microslug hasn't updated their client since at > least Windows 7 release (we're talking about over a decade now) and > their IKEv2 implementation doesn't support IKE fragmentation. In > today's world this usually means IPSEC/IKEv2 won't connect at all > because someone in the middle drops UDP fragments on purpose. > > I'd like to ram that up someone's chute out at Microslug, never mind > that their default proposals are intentionally insecure (gee, I wonder > if someone in the government "asked nicely" for that?) That's fixable > with a bit of registry editing, but the lack of IKEv2 frag support is a > killer and has basically forced me to support OpenVPN when there are > windows clients around and you have no control (at all) over the > networks in the middle between the client and server. I was able to successfully connect Windows 8.1 client to FreeBSD 11.1 server in the L2TP/IPSEC mode using ipsec-tools (racoon) plus mpd5. You can use something like mtu=576 for L2TP ngX interface to avoid UDP fragmentation. Have you tried that?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A119648.4080707>