[strongSwan] deleting half open IKE_SA after timeout
Volker Rümelin
vr_strongswan at t-online.de
Sun Mar 1 18:16:50 CET 2015
Hi Denis,
> Hello,
>
> my previous suggestion was wrong. I've compared tcpdumps on working and non-working hosts again, and found that in broken case client continues to re-send this packed to server:
>
> 19:53:09.673551 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 1212)
> 93.74.135.165.4500 > 179.179.179.179.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid 00000000 cookie 7c7f3d5d2c5f466b->5121f3fa3093c391: phase 1 I ident[E]: [encrypted id]
> 19:53:09.673935 IP (tos 0x0, ttl 64, id 28340, offset 0, flags [+], proto UDP (17), length 1500)
> 179.179.179.179.4500 > 93.74.135.165.4500: NONESP-encap: isakmp 1.0 msgid 00000000 cookie 7c7f3d5d2c5f466b->5121f3fa3093c391: phase 1 R ident[E]: [encrypted id] (len mismatch: isakmp 1660/ip 1468)
you have a network problem. As you can see from the flags [+] this is
the first fragment of a UDP message. The following fragment is missing.
A router or firewall dropped it on route to your server.
> 14:44:12.274524 IP 179.179.179.179.4500 > 46.211.137.122.43918: NONESP-encap: isakmp: phase 1 R ident[E]
> 14:44:12.274536 IP 179.179.179.179 > 46.211.137.122: ip-proto-17
The second packet from your working example is the fragment you are missing.
If fixing your network problem is not an option, you can try if
fragmentation=yes in the conn %default section in ipsec.conf helps.
Regards,
Volker
More information about the Users
mailing list