[strongSwan] Strongswan 5.3.0 windows 7/8 configuration problem
andreas.steffen at strongswan.org
Tue May 19 12:29:40 CEST 2015
it seems that the Windows clients does not receive the IKE_AUTH
response from the strongSwan gateway probably because the large
certificate contained in the message leads to IP fragmentation of
the UDP-based IKE datagram the fragment get discarded somewhere
on the way:
sending end entity cert "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV,
CN=<<full qualified host name>>"
generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
sending packet: from 10.10.0.125 to 184.108.40.206 (1468 bytes)
received packet: from 220.127.116.11 to 10.10.0.125 (1100
parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS
SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
received retransmit of request with ID 1, retransmitting response
As you can see the Windows client is retransmitting its original
IKE_AUTH request. What is the MTU in your network? Actually the IKE_AUTH
message with a size of 1468 bytes should not get fragmented with an
Ethernet MTU of 1500 bytes.
On 19.05.2015 11:34, Hans Boone wrote:
> Hi all,
> We’re using Strongswan to connect to Amazon AWS. So far we’ve been using
> strongswan 4.6.2 to connect windows 7 / 8 clients using eap-mschapv2
> with IkeV2 to the linux Strongswan server.
> Recently we’ve installed a new linux Strongswan server, and we’ve copied
> the installation to the new server. Of course we’ve created a new server
> certificate for this new server.
> Unfortunately we’re not able to connect with any windows client to the
> server. The security assertion is created, but somehow the VPN
> connection is not created, the windows clients (win 7 and win 8) report
> an 809 error.
> Any ideas what to do?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users