[strongSwan] received 250000000 lifebytes, configured 0

Dr. Rolf Jansen rj at obsigna.com
Tue Nov 4 11:08:23 CET 2014


Am 04.11.2014 um 06:51 schrieb Martin Willi <martin at strongswan.org>:

>> During connection attempts of a Windows 7 client by IKEv1 in transport mode, I see the following:
> 
>> [IKE] <L2TP/IPsec-PSK|1> received 250000000 lifebytes, configured 0
> 
> These lifebytes refer to the number of bytes the peer allows over this
> Quick Mode before it expires, as sent in its proposal. It allows 250MB
> of data, and usually should create a new Quick Mode before the old one
> expires.

Many thnak for the explanation, next time my brain will auto-translate the message to:

peer proposed 250000000 for the lifebytes parameter, configured was 0 (no limit)


Anyway, in the logs this were the most apparent difference between a working L2TP/IPsec-PSK connection initiated by Mac OS X, and a non-working initiated by Windows 7. Another difference is, that the serial number, or ID, or whatever of the QUICK_MODE requests/responses which are exchanged in the same phase as the negotiation of the lifebytes parameter, seems to be a uint32_t random number in the case of Mac OS X, while this is always 1 in the case of Windows 7.

Both, Windows 7 and Mac OS X succeed with the IPsec connection. Windows 7 is stale then, while Mac OS X enters happily into the L2TP negotiation. (one connection at a time, no multiple conn's).

Well, I have Windows 7 working with IKEv2 (machine certificates) now. This was my last attempt on IKEv1/transport mode and Windows. For me it is very clear now that Microsoft never got this straight. This is reminding me to: "When you discover that you are riding a dead horse, the best strategy is to dismount."

Best regards

Rolf




More information about the Users mailing list