[strongSwan] Win 8.1 fails to connect - error 809 - fragmentation problem?

Noel Kuntze noel at familie-kuntze.de
Sun Jun 7 23:09:40 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Conrad,

Your certificate lacks a SAN field for your IP, so strongSwan defaults
back to the DN of the certificate. Generate a new certificate for the server, which has that SAN field
set. It is also advisable to set a SAN field for the DNS name.

> Sun, 2015-06-07 % 05[CFG]   id '5.9.63.241' not confirmed by certificate, defaulting to 'C=DE, ST=Niedersachsen, L=Hannover, O=Privat, OU=StrongSwan, CN=vpn.bl4ckb0x.de, E=ck at bl4ckb0x.de'

Furthermore, your "esp" and "ike" settings are wrong. Please set
them correctly. Refer to the man page for details.
Also set fragmentation=yes, because you use certificates
and try setting the IKE proposal to secure values.

I googled error 809 for WIndows 8.1 and it means, that the remote server didn't respond.
Check intermediate and local firewalls to check if they allow outbound IPsec traffic.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 07.06.2015 um 22:54 schrieb Conrad Kostecki:
> Hello Noel,
>
>> tcpdumps are completely unusable for debugging purposes.
>> Please create a log file using a filelogger[1] and the following settings.
>
> thanks for your reply. I wasn't aware, that they are completely unusable.
> Here is the log file: https://www.bl4ckb0x.de/charon.log
>
>> Then pastebin us that log. For the moment, try setting leftid to the
>> public IP of your server.
> You mean leftid=xxx.xxx.xxx.xxx? I've done so now. It didn't help.
>
>> Fragmentation is only a problem if there is a broken router
>> in between, you're using IPv4, and the packets get larger than the MTU.
>
> Okay. At least I am using IPv4.
>
> Conrad

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVdLMSAAoJEDg5KY9j7GZYsEYP/3WM4NyL7b9SH1eJUtPEkh7S
LS/LPzlI6f3OZBHZwl/UUxqIH8crQxf6RGEm4XxAMTCBNVuzwLpEotrWrq7P87l5
D3ze17zJd1rsVqzLE9dzS4+qcteiesCD3ai1wZUOfFvi0wCc6KrTtTJW9Kl0vns8
BIvmrcI5OM9pnLl5pSllkMHCFsa8TyGTosrHSWr17y5Rs+iD/Kz803mZCaxPlIq1
bJsUZ+ucumSrZ2S0EoIvJ2ZcjcY7wEbQdwCeYtTnQ7z8pzAehXxl4SDZsI8QhnuD
bEh/hhZ6FcmcrAgXZpBoMm7fReLv61gH/XKyGKHy3XBvTb8DICdM+r2IJxUNcQRL
FNjDOS+Jqo7VT6sqot4b4BsoFg4SY+ogSePuUSHYWIJbMM66/kVkbErNKbNhsQMI
clKSEHB2uEvNkhF0nsfDukgqqxHTg9tmy1cfSSgPVGJAtyn1hJCzs3QNDQsTPd+O
dXLaGt13ixUB4sJS455/1MZfc9DxTmwXbY167pVZlRBuFoU5eSgKWv8ThrUqekuk
iNx494E9724FIfTnuOHmnE0yopAhPih9aT+rmVvwBvPVKBYHPKQuMammHvpSuUaF
EjuuXE22qE096XgkffirnVHU+Es2tfeeXoREfrxn0dh+xmb674WoCdTqj4AyBpyj
78IjoScP8nuF/EvpdgUP
=G/bJ
-----END PGP SIGNATURE-----




More information about the Users mailing list