Hi Hans, it seems that the Windows clients does not receive the IKE_AUTH response from the strongSwan gateway probably because the large certificate contained in the message leads to IP fragmentation of the UDP-based IKE datagram the fragment get discarded somewhere on the way:
sending end entity cert "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV, CN=<<full qualified host name>>"
generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] sending packet: from 10.10.0.125[4500] to 222.127.206.61[39239] (1468 bytes)received packet: from 222.127.206.61[39239] to 10.10.0.125[4500] (1100 bytes)
parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
received retransmit of request with ID 1, retransmitting response As you can see the Windows client is retransmitting its original IKE_AUTH request. What is the MTU in your network? Actually the IKE_AUTH message with a size of 1468 bytes should not get fragmented with an Ethernet MTU of 1500 bytes. Best regards Andreas On 19.05.2015 11:34, Hans Boone wrote:
Hi all, We’re using Strongswan to connect to Amazon AWS. So far we’ve been using strongswan 4.6.2 to connect windows 7 / 8 clients using eap-mschapv2 with IkeV2 to the linux Strongswan server. Recently we’ve installed a new linux Strongswan server, and we’ve copied the installation to the new server. Of course we’ve created a new server certificate for this new server. Unfortunately we’re not able to connect with any windows client to the server. The security assertion is created, but somehow the VPN connection is not created, the windows clients (win 7 and win 8) report an 809 error. Any ideas what to do?
====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
