[strongSwan] Win 8.1 fails to connect - error 809 - fragmentation problem?
Conrad Kostecki
ck+strongswanusers at bl4ckb0x.de
Mon Jun 8 00:30:21 CEST 2015
Hello Noel,
> Your certificate lacks a SAN field for your IP, so strongSwan defaults
> back to the DN of the certificate. Generate a new certificate for the
> server, which has that SAN field
> set. It is also advisable to set a SAN field for the DNS name.
>
>> Sun, 2015-06-07 % 05[CFG] id '5.9.63.241' not confirmed by
>> certificate, defaulting to 'C=DE, ST=Niedersachsen, L=Hannover,
>> O=Privat, OU=StrongSwan, CN=vpn.bl4ckb0x.de, E=ck at bl4ckb0x.de'
Okay. I've fixed it. SAN fields with my IP are now in the certificate.
But it didn't change anything.
> Furthermore, your "esp" and "ike" settings are wrong. Please set
> them correctly. Refer to the man page for details.
I've set this now to:
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
That should be for start okay.
> Also set fragmentation=yes, because you use certificates
> and try setting the IKE proposal to secure values.
fragmentation=yes is already set.
> I googled error 809 for WIndows 8.1 and it means, that the remote
> server didn't respond.
> Check intermediate and local firewalls to check if they allow outbound
> IPsec traffic.
Well. How can I debug this specific? My linux router has set with
iptables:
$IPTABLES --append INPUT --protocol 50 --jump ACCEPT
$IPTABLES --append INPUT --protocol 51 --jump ACCEPT
$IPTABLES --append INPUT --protocol udp --destination-port 500 --jump
ACCEPT
$IPTABLES --append INPUT --protocol udp --destination-port 4500 --jump
ACCEPT
Do I have to forward it explicit to the windows client behind the
router?
Conrad
More information about the Users
mailing list