[strongSwan] Win 8.1 fails to connect - error 809 - fragmentation problem?

Conrad Kostecki ck+strongswanusers at bl4ckb0x.de
Mon Jun 8 00:30:21 CEST 2015


Hello Noel,

> Your certificate lacks a SAN field for your IP, so strongSwan defaults
> back to the DN of the certificate. Generate a new certificate for the
> server, which has that SAN field
> set. It is also advisable to set a SAN field for the DNS name.
> 
>> Sun, 2015-06-07 % 05[CFG]   id '5.9.63.241' not confirmed by 
>> certificate, defaulting to 'C=DE, ST=Niedersachsen, L=Hannover, 
>> O=Privat, OU=StrongSwan, CN=vpn.bl4ckb0x.de, E=ck at bl4ckb0x.de'

Okay. I've fixed it. SAN fields with my IP are now in the certificate. 
But it didn't change anything.

> Furthermore, your "esp" and "ike" settings are wrong. Please set
> them correctly. Refer to the man page for details.

I've set this now to:
esp=aes256-sha1!
ike=aes256-sha1-modp1024!

That should be for start okay.

> Also set fragmentation=yes, because you use certificates
> and try setting the IKE proposal to secure values.

fragmentation=yes is already set.

> I googled error 809 for WIndows 8.1 and it means, that the remote
> server didn't respond.
> Check intermediate and local firewalls to check if they allow outbound
> IPsec traffic.

Well. How can I debug this specific? My linux router has set with 
iptables:

$IPTABLES --append INPUT --protocol 50 --jump ACCEPT
$IPTABLES --append INPUT --protocol 51 --jump ACCEPT
$IPTABLES --append INPUT --protocol udp --destination-port 500 --jump 
ACCEPT
$IPTABLES --append INPUT --protocol udp --destination-port 4500 --jump 
ACCEPT

Do I have to forward it explicit to the windows client behind the 
router?

Conrad


More information about the Users mailing list