[strongSwan] IKE2 4500 Reply Not Making it Out
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Mar 24 22:39:48 CET 2018
After two minutes of searching the strongSwan github mirror for the error message, I can tell you that the problem is that the assembled IKE message exceeds charon.max_packet, which defaults to 10000.
Simply raise that limit in charon.conf. E.g. to 30000.
On 24.03.2018 22:35, Info wrote:
>
> On 03/23/2018 01:25 PM, Info wrote:
>> On 03/23/2018 12:57 PM, Info wrote:
>>>
>>>>> Is there anything logged by the kernel in its ring buffer?
>>>>> And please add the route I previously mentioned. And stop using ifconfig, or generally the net-tools.
>>>>>
>>>>> Kind regards
>>>>>
>>>>> Noel
>>>>
>>> Looks like journalctl is more useful. Apparently something was wrong with my prior charon.conf setup, so I've merged the two sections into one.
>>>
>>> Attached.
>>>
>> "[ENC] fragmented IKE message is too large"
>>
>> My CA key and machine keys are generated with:
>> # strongswan pki --gen --type rsa --outform pem --size 16384 > /etc/pki/CA/private/{CAmachinename}-CAkey.pem
>> # strongswan pki --gen --type rsa --outform pem --size 16384 > /etc/pki/ipsec/private/{machineA}-Key.pem
>>
>> ... and Noel says that's ridiculous. But we all have our peculiar ways. G**gle is baffled, but this may have something to do with MTU, which is 1500 on the eth0 interface. Cert sizes are ~6043 Bytes and for the CA cert 6067. I once tried to set MTU to 9000, but the outside interface in the LAN gateway refused anything higher than 1500 (DHCP), so that's a problem. Idk whether this is the problem, and if so what to do about it?
>
> So my large key/cert size is not the problem. Same thing happens with CA key & cert, and machine key & cert for both ends generated to a size of 4096.
>
> Same 4 attempts, same "fragmented IKE message is too large", same unresponsiveness. Must be something else. Maybe it's haunted.
>
> Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[48368] to 192.168.1.16[500] (704 bytes)
> Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: 172.58.47.30 is initiating an IKE_SA
> Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: local host is behind NAT, sending keep alives
> Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: remote host is behind NAT
> Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: sending cert request for "C=US, O=Quantum CN=aries.darkmatter.org CA"
> Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: sending packet: from 192.168.1.16[500] to 172.58.47.30[48368] (299 bytes)
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(1/8) ]
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received fragment #1 of 8, waiting for complete IKE message
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(2/8) ]
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received fragment #2 of 8, waiting for complete IKE message
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(3/8) ]
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received fragment #3 of 8, waiting for complete IKE message
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(4/8) ]
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received fragment #4 of 8, waiting for complete IKE message
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(5/8) ]
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received fragment #5 of 8, waiting for complete IKE message
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(6/8) ]
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received fragment #6 of 8, waiting for complete IKE message
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(7/8) ]
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received fragment #7 of 8, waiting for complete IKE message
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1188 bytes)
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(8/8) ]
> Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: fragmented IKE message is too large
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(1/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received fragment #1 of 8, waiting for complete IKE message
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(2/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received fragment #2 of 8, waiting for complete IKE message
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(3/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received fragment #3 of 8, waiting for complete IKE message
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(4/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received fragment #4 of 8, waiting for complete IKE message
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(5/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received fragment #5 of 8, waiting for complete IKE message
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(6/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received fragment #6 of 8, waiting for complete IKE message
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(7/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received fragment #7 of 8, waiting for complete IKE message
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1188 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(8/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(6/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received fragment #6 of 8, waiting for complete IKE message
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(7/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received fragment #7 of 8, waiting for complete IKE message
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1188 bytes)
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(8/8) ]
> Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: fragmented IKE message is too large
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(1/8) ]
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received fragment #1 of 8, waiting for complete IKE message
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(2/8) ]
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received fragment #2 of 8, waiting for complete IKE message
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(3/8) ]
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received fragment #3 of 8, waiting for complete IKE message
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(4/8) ]
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received fragment #4 of 8, waiting for complete IKE message
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(5/8) ]
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received fragment #5 of 8, waiting for complete IKE message
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(6/8) ]
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received fragment #6 of 8, waiting for complete IKE message
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(7/8) ]
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received fragment #7 of 8, waiting for complete IKE message
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1188 bytes)
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(8/8) ]
> Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: fragmented IKE message is too large
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(1/8) ]
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received fragment #1 of 8, waiting for complete IKE message
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(2/8) ]
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received fragment #2 of 8, waiting for complete IKE message
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(3/8) ]
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received fragment #3 of 8, waiting for complete IKE message
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(4/8) ]
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received fragment #4 of 8, waiting for complete IKE message
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(5/8) ]
> Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received fragment #5 of 8, waiting for complete IKE message
> Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(6/8) ]
> Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: received fragment #6 of 8, waiting for complete IKE message
> Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
> Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(7/8) ]
> Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: received fragment #7 of 8, waiting for complete IKE message
> Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1188 bytes)
> Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_AUTH request 1 [ EF(8/8) ]
> Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: fragmented IKE message is too large
> Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: received packet: from 172.58.47.30[48368] to 192.168.1.16[500] (704 bytes)
> Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: 172.58.47.30 is initiating an IKE_SA
> Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: local host is behind NAT, sending keep alives
> Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: remote host is behind NAT
> Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: sending cert request for "C=US, O=Quantum CN=aries.darkmatter.org CA"
> Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: sending packet: from 192.168.1.16[500] to 172.58.47.30[48368] (299 bytes)
> Mar 24 14:22:24 cygnus.darkmatter.org charon-systemd[49550]: sending keep alive to 172.58.47.30[41633]
> Mar 24 14:22:34 cygnus.darkmatter.org charon-systemd[49550]: deleting half open IKE_SA with 172.58.47.30 after timeout
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180324/3224ee0e/attachment.sig>
More information about the Users
mailing list