[strongSwan] Windows 7 IKEv2 Error
Martin Willi
martin at strongswan.org
Fri Jan 3 10:27:55 CET 2014
Hi,
> 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 07[NET] sending packet: from 192.168.1.18[500] to 98.26.22x.xx[500]
> 03[NET] received packet: from 98.26.22x.xx[4500] to 192.168.1.18[4500]
> 03[ENC] not enough input to parse rule 10 ENCRYPTED_DATA
> 03[ENC] payload type ENCRYPTED could not be parsed
> 03[IKE] message parsing failed
> 03[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
> This use to work until we moved offices and got a new public ip. The
> above leftid reflects the new public ip. I just thought about
> something, the CN in the cert, does it need to reflect the new public
> ip?
No, authentication works independent of payload encryption in IKEv2, so
anything wrong with your credentials wouldn't fail that way.
More likely is a fragmentation issue: Windows 7 sends a certificate
request for each and every CA it knows about, sometimes summing up to
several KB of CERTREQs. If these fragments are not reassembled
completely/correctly, decryption fails.
I'd try to identify how many fragments you see for this IKE_AUTH, and if
they get reassembled correctly on the strongSwan end.
Regards
Martin
More information about the Users
mailing list