OpenWrt IKEv2 NAT traversal (or similar) problem

Peter Naulls peter at
Wed May 31 12:12:10 PDT 2023

On 5/31/23 10:20, Peter Naulls wrote:
> On 5/30/23 21:09, Yousong Zhou wrote:
>> On Wed, 31 May 2023 at 06:38, Peter Naulls <peter at> wrote:

Thanks for you patience, more:

I ran the connection instead over a wired WAN connection instead of the cell
WWAN link, and the problem is the same. This points the finger rather squarely
at packet processing/forwarding or similar on OpenWrt.

I did find some reference to some similarish problems - in almost all the
searches I've done, the VPN is initiated on the Linux router, however - but
there's some suggestion that MTU/MSS is implicated - I've rather severely
limited MTU on all the interfaces in OpenWrt as well as the physical and
VPN interfaces in Windows to no avail.

The fetch can be done in Windows to (instead of https),
which of course normally results in an HTTP redirect - this makes the 
transaction a bit smaller, since no attempt at TLS.  In this case, curl
does send the HTTP headers, but there's no response, and the issues
with the "missing" packet that I described earlier is still ultimately seen
on the VPN interface.

I realize that since it's UDP, that duplicated and missing packets are
entirely possible, but could it be that this happens in a 100% repeatable
fashion in some cases? That would be strange, certainly.

More information about the openwrt-devel mailing list