[strongSwan] Clients disconnect after 240 minutes

Tiago Vasconcelos tiago.o.vasconcelos at gmail.com
Mon Feb 4 17:09:38 CET 2013 

Thank you for the tips, Andreas and Martin. Unfortunately, I'm still 
struggling with the same problem. 'reauth=no' didn't help, BTW.

In my ipsec.conf I have currently:

	conn win7
         	ike=aes256-sha1-modp1024!
	        esp=aes256-sha1!
	        dpddelay=300s
         	rekey=no

and
	conn %default
	        ikelifetime=8h
		[among other settings]


But the clients still loose connection every 240 minutes.
The clients affected are behind NAT and use Windows 7 native client.

Every time the client looses connection, in the strongSwan 4.6.4 logs it 
appears:

charon: 10[NET] received packet: from 12.7.10.2[4500] to 6.34.22.1[4500]
charon: 10[ENC]   not enough input to parse rule 14 NOTIFICATION_DATA
charon: 10[ENC] could not decrypt payloads
charon: 10[IKE] message parsing failed
charon: 10[ENC] generating CREATE_CHILD_SA response 0 [ N(INVAL_SYN) ]
charon: 10[NET] sending packet: from 6.34.22.1[4500] to 12.7.10.2[4500]
charon: 10[IKE] CREATE_CHILD_SA request with message ID 0 processing failed

or

charon: 10[NET] received packet: from 12.7.10.2[4500] to 6.34.22.1[4500]
charon: 10[ENC]   not enough input to parse rule 13 SPI
charon: 10[ENC] could not decrypt payloads
charon: 10[IKE] message parsing failed
charon: 10[ENC] generating CREATE_CHILD_SA response 0 [ N(INVAL_SYN) ]
charon: 10[NET] sending packet: from 6.34.22.1[4500] to 12.7.10.2[4500]
charon: 10[IKE] CREATE_CHILD_SA request with message ID 0 processing failed


So the apparent cause is either a
	not enough input to parse rule 14 NOTIFICATION_DATA
or a
	not enough input to parse rule 13 SPI

What does this mean?
Will it be helpful if I increase the debugging?


Thanks,
Tiago



On 27/11/12 08:20, Martin Willi wrote:> Hi Tiago,
 >
 >> Hmmm, probably the Win7 clients don't like re-authentication proposed
 >> by the strongSwan gateway.
 >
 > Also check that you use modp1024 as your first DH group, and let the
 > client initiate rekeying if it is behind NAT. See [1].
 >
 > Regards
 > Martin
 >
 > 
[1]http://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Rekeying-behavior
 >
 >
 >

More information about the Users mailing list