[strongSwan] Win 8.1 fails to connect - error 809 - fragmentation problem?
Noel Kuntze
noel at familie-kuntze.de
Sun Jun 7 22:35:34 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Conrad,
tcpdumps are completely unusable for debugging purposes.
Please create a log file using a filelogger[1] and the following settings.
Then pastebin us that log. For the moment, try setting leftid to the public IP of your server.
I think Win 8.1 wants the public IP (even if you tell it to connect to a DNS name) as responder ID.
Fragmentation is only a problem if there is a broken router
in between, you're using IPv4, and the packets get larger than the MTU.
Settings:
default = 3
mgr = 1
ike = 1
net = 1
enc = 0
cfg = 2
asn = 1
job = 1
knl = 1
append=no
ike_name=no
flush_line=yes
time_format=%a, %Y-%m-%d %R
[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 07.06.2015 um 22:30 schrieb Conrad Kostecki:
> Hi!
>
> I am using a Windows 8.1 client (its behind a NAT IPv4 router)
> and trying to connect to my StrongSwan server, installed on my root server.
> But this is failing, because Windows reports error 809.
>
> My StrongSwan configuration is:
> config setup
> charondebug="cfg 0, dmn 2, ike 2, net 2, lib 3"
>
> conn %default
> dpdaction=clear
> dpddelay=60s
> esp=sha512-modp4096
> fragmentation=yes
> ike=sha512-modp4096
> keyexchange=ikev2
> mobike=yes
>
> conn roadwarrior
> auto=add
> eap_identity=%any
> fragmentation=yes
> left=%any
> leftauth=pubkey
> leftcert=server.crt
> leftsubnet=0.0.0.0/0,::/0
> leftid="C=xx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=xxx, E=xxx"
> right=%any
> rightauth=eap-mschapv2
> rightsourceip=192.168.164.0/24
>
> So, I've started to capture packets. What I can see:
>
> Windows 8.1 client:
> It sends IKE_SA_INIT and gets an response
> After this, it sends IKE_AUTH and retries? two times again.
> -> https://www.bl4ckb0x.de/client.bin
>
> Linux IPv4 NAT router, to which the windows 8.1 client is connected:
> IKE_SA_INIT is send to server, response received and forwarded to client.
> But I don't see anymore the IKE_AUTH. I can only see three times fragmentation. Are these the IKE_AUTH packets?
> -> https://www.bl4ckb0x.de/router.client.bin
>
> StrongSwan server on the internet:
> IKE_SA_INIT is received and replied back.
> IKE_AUTH never arrives. Not even a fragmented packet.
> -> https://www.bl4ckb0x.de/server.bin
>
> So, is this a problem of fragmented packets? If so, what can I do? fragmentation=yes is at least set. I am unsure, which part causes that fragmentation?
>
> Any ideas?
>
> Thanks!
> Conrad
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVdKsTAAoJEDg5KY9j7GZYv3YP/1IYLsX/2ic2rg0ld+kXj80B
iGjMlXho5B20Oeh8SfqaQrJuBcpi9rsb17DX9a0agVli+6m3NEpp4o0Dq5WUxqbA
SBQf3Dpxug5KIA3Q5pulwu9W72NKuQVHbsT06x+NDS9cOknsOdFNvwjzTUn33aUJ
AcNP1o8lEgJZwSL1qZfLZwFONBW/aaFBvaumgTOHcqbjj3QL1txbNP/9L/1mQfi6
muc7ys+OOkfQsKmxWTdTSOqwKkLH5ZSeBtfOkI1oJWrd64z5YUAQp6oe99YBcY//
clUMPdNKkSgGST7TgrZt/P/pRhTL3en+NInQQ+mepVDKiVeC2ZchMB+06C9jf2FL
tpQtxS9qdk3NAWCzLcTvi8yhheEDar3A7UnM5U63SOm3fz+5LD9IgDDI3HV4NRKv
+6+HcCQyHfBoID6v+BvSVmN0H9PKIHWyN3tjKPC38D4d9uYBNtCCjof4Mr9whZdw
qA+uW7NCta6+XEhfDIbyIS9caQDLMTMyHOfgfDwSmuBpR6U/8/IVFJXZpjCfQxsI
rHALlq5v6+ePc4XM3I8zI8ekKv9FltRVfg6mhnK5CQFAo9EHYB+nCCXwA9N3zhsW
GWmArX9MR1H/A8ZwZe4gHO9j7X63t9alE/5MTXlY33j+iNMkNibX6mr9lwTE/v4S
5cnyyFGOJob495FJ7m9p
=AN35
-----END PGP SIGNATURE-----
More information about the Users
mailing list