Re: [strongSwan] Clients disconnect after 240 minutes

Mon, 04 Feb 2013 08:09:52 -0800 

Thank you for the tips, Andreas and Martin. Unfortunately, I'm still 
struggling with the same problem. 'reauth=no' didn't help, BTW.

In my ipsec.conf I have currently:

        conn win7
                ike=aes256-sha1-modp1024!
                esp=aes256-sha1!
                dpddelay=300s
                rekey=no

and
        conn %default
                ikelifetime=8h
                [among other settings]


But the clients still loose connection every 240 minutes.
The clients affected are behind NAT and use Windows 7 native client.

Every time the client looses connection, in the strongSwan 4.6.4 logs it 
appears:

charon: 10[NET] received packet: from 12.7.10.2[4500] to 6.34.22.1[4500]
charon: 10[ENC]   not enough input to parse rule 14 NOTIFICATION_DATA
charon: 10[ENC] could not decrypt payloads
charon: 10[IKE] message parsing failed
charon: 10[ENC] generating CREATE_CHILD_SA response 0 [ N(INVAL_SYN) ]
charon: 10[NET] sending packet: from 6.34.22.1[4500] to 12.7.10.2[4500]
charon: 10[IKE] CREATE_CHILD_SA request with message ID 0 processing failed

or

charon: 10[NET] received packet: from 12.7.10.2[4500] to 6.34.22.1[4500]
charon: 10[ENC]   not enough input to parse rule 13 SPI
charon: 10[ENC] could not decrypt payloads
charon: 10[IKE] message parsing failed
charon: 10[ENC] generating CREATE_CHILD_SA response 0 [ N(INVAL_SYN) ]
charon: 10[NET] sending packet: from 6.34.22.1[4500] to 12.7.10.2[4500]
charon: 10[IKE] CREATE_CHILD_SA request with message ID 0 processing failed


So the apparent cause is either a
        not enough input to parse rule 14 NOTIFICATION_DATA
or a
        not enough input to parse rule 13 SPI

What does this mean?
Will it be helpful if I increase the debugging?


Thanks,
Tiago



On 27/11/12 08:20, Martin Willi wrote:> Hi Tiago,
 >
 >> Hmmm, probably the Win7 clients don't like re-authentication proposed
 >> by the strongSwan gateway.
 >
 > Also check that you use modp1024 as your first DH group, and let the
 > client initiate rekeying if it is behind NAT. See [1].
 >
 > Regards
 > Martin
 >
 > 
[1]http://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Rekeying-behavior
 >
 >
 >



_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to