[strongSwan] Windows 7 IKEv2 Error

Martin Willi martin at strongswan.org
Fri Jan 3 10:27:55 CET 2014


> 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 07[NET] sending packet: from[500] to 98.26.22x.xx[500]
> 03[NET] received packet: from 98.26.22x.xx[4500] to[4500]
> 03[ENC]   not enough input to parse rule 10 ENCRYPTED_DATA
> 03[ENC] payload type ENCRYPTED could not be parsed
> 03[IKE] message parsing failed
> 03[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]

> This use to work until we moved offices and got a new public ip. The
> above leftid reflects the new public ip. I just thought about
> something, the CN in the cert, does it need to reflect the new public
> ip?

No, authentication works independent of payload encryption in IKEv2, so
anything wrong with your credentials wouldn't fail that way.

More likely is a fragmentation issue: Windows 7 sends a certificate
request for each and every CA it knows about, sometimes summing up to
several KB of CERTREQs. If these fragments are not reassembled
completely/correctly, decryption fails.

I'd try to identify how many fragments you see for this IKE_AUTH, and if
they get reassembled correctly on the strongSwan end.


More information about the Users mailing list