[strongSwan] Strongswan 5.3.0 windows 7/8 configuration problem

Andreas Steffen andreas.steffen at strongswan.org
Tue May 19 12:29:40 CEST 2015 

Hi Hans,

it seems that the Windows clients does not receive the IKE_AUTH
response from the strongSwan gateway probably because the large
certificate contained in the message leads to IP fragmentation of
the UDP-based IKE datagram the fragment get discarded somewhere
on the way:

sending end entity cert "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV, 
CN=<<full qualified host name>>"

generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]

sending packet: from 10.10.0.125[4500] to 222.127.206.61[39239] (1468 bytes)

received packet: from 222.127.206.61[39239] to 10.10.0.125[4500] (1100 
bytes)

parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS 
SRV ADDR6 DNS6 SRV6) SA TSi TSr ]

received retransmit of request with ID 1, retransmitting response

As you can see the Windows client is retransmitting its original
IKE_AUTH request. What is the MTU in your network? Actually the IKE_AUTH
message with a size of 1468 bytes should not get fragmented with an
Ethernet MTU of 1500 bytes.

Best regards

Andreas

On 19.05.2015 11:34, Hans Boone wrote:
> Hi all,
>
> We’re using Strongswan to connect to Amazon AWS. So far we’ve been using
> strongswan 4.6.2 to connect windows 7 / 8 clients using eap-mschapv2
> with IkeV2 to the linux Strongswan server.
>
> Recently we’ve installed a new linux Strongswan server, and we’ve copied
> the installation to the new server. Of course we’ve created a new server
> certificate for this new server.
>
> Unfortunately we’re not able to connect with any windows client to the
> server. The security assertion is created, but somehow the VPN
> connection is not created, the windows clients (win 7 and win 8) report
> an 809 error.
>
> Any ideas what to do?

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150519/cf2391b1/attachment.bin>

More information about the Users mailing list