[strongSwan] Couldn't establish IKEv2 vpn connection using strongswan, log shows timeout

Tobias Brunner tobias at strongswan.org
Tue Nov 7 14:37:18 CET 2017

Hi Joshua,

>     I got some problems about the configuration of strongswan, no matter
> how I configured the IKEv2 connection just couldn't establish.

This doesn't look like a configuration issue but a network problem.  The
client does not seem to receive the IKE_SA_INIT response sent by the
server (at least initially) and, therefore, retransmits the request a
couple of times.  It seems to stop after two retransmits so it might
have received the response eventually.  But since the server doesn't
receive an IKE_AUTH request it could mean that there is an IP
fragmentation issue (also check for errors on the client).  If the
IKE_AUTH request gets too big (e.g. because of lots of certificate
requests or a large client certificate) it gets fragmented into multiple
IP packets and if some firewall/router between client and server drops
such fragments the server won't receive the full message.
As this seems to be a Windows client you might not have a lot of options
as Windows doesn't support IKEv2 fragmentation.  If you use certificate
authentication for the client you could try to switch to EAP with
username/password (but it's possible that the server's IKE_AUTH response
will get fragmented too).  Also see [1].


[1] https://wiki.strongswan.org/issues/965#note-1

More information about the Users mailing list