19.11.2017 21:15, Karl Denninger wrote: > The reason is Windows. Microslug hasn't updated their client since at > least Windows 7 release (we're talking about over a decade now) and > their IKEv2 implementation doesn't support IKE fragmentation. In > today's world this usually means IPSEC/IKEv2 won't connect at all > because someone in the middle drops UDP fragments on purpose. > > I'd like to ram that up someone's chute out at Microslug, never mind > that their default proposals are intentionally insecure (gee, I wonder > if someone in the government "asked nicely" for that?) That's fixable > with a bit of registry editing, but the lack of IKEv2 frag support is a > killer and has basically forced me to support OpenVPN when there are > windows clients around and you have no control (at all) over the > networks in the middle between the client and server.
I was able to successfully connect Windows 8.1 client to FreeBSD 11.1 server in the L2TP/IPSEC mode using ipsec-tools (racoon) plus mpd5. You can use something like mtu=576 for L2TP ngX interface to avoid UDP fragmentation. Have you tried that? _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
