[strongSwan] Couldn't establish IKEv2 vpn connection using strongswan, log shows timeout
tobias at strongswan.org
Tue Nov 7 14:37:18 CET 2017
> I got some problems about the configuration of strongswan, no matter
> how I configured the IKEv2 connection just couldn't establish.
This doesn't look like a configuration issue but a network problem. The
client does not seem to receive the IKE_SA_INIT response sent by the
server (at least initially) and, therefore, retransmits the request a
couple of times. It seems to stop after two retransmits so it might
have received the response eventually. But since the server doesn't
receive an IKE_AUTH request it could mean that there is an IP
fragmentation issue (also check for errors on the client). If the
IKE_AUTH request gets too big (e.g. because of lots of certificate
requests or a large client certificate) it gets fragmented into multiple
IP packets and if some firewall/router between client and server drops
such fragments the server won't receive the full message.
As this seems to be a Windows client you might not have a lot of options
as Windows doesn't support IKEv2 fragmentation. If you use certificate
authentication for the client you could try to switch to EAP with
username/password (but it's possible that the server's IKE_AUTH response
will get fragmented too). Also see .
More information about the Users