From 86bc044356ae37aa24ff352858d71641c00740fc Mon Sep 17 00:00:00 2001 From: yyamashita Date: Thu, 2 Jul 2026 00:21:40 +0900 Subject: Restore intermediate cert + reduce IKE fragment size to 512 bytes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit iOS/Android VPN stacks don't follow AIA to download intermediate certs, so YE1 must be sent by the server for cert chain validation. The original 1236-byte IKE fragment was being dropped mid-path. Setting fragment_size=512 splits the 1776-byte IKE_AUTH into ~4 fragments of ≤560 bytes each, which should traverse any NAT/router. Co-Authored-By: Claude Sonnet 4.6 --- vpn/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) (limited to 'vpn/docker-compose.yml') diff --git a/vpn/docker-compose.yml b/vpn/docker-compose.yml index 83ff270..1961a99 100644 --- a/vpn/docker-compose.yml +++ b/vpn/docker-compose.yml @@ -8,6 +8,7 @@ services: - SYS_MODULE volumes: - ./certs/server.crt:/etc/swanctl/x509/server.crt:ro + - ./certs/server-chain.crt:/etc/swanctl/x509ca/server-chain.crt:ro - ./certs/server.key:/etc/swanctl/private/server.key:ro - ./users.conf:/etc/strongswan/users.conf:ro environment: -- cgit v1.2.3