[Swan] Windows IKEv2 Error 809
Tom Robinson
tom.robinson at motec.com.au
Wed May 25 05:21:01 UTC 2016
Hi Paul,
Thanks for taking the time to look at this.
On 25/05/16 00:33, Paul Wouters wrote:
> On Mon, 23 May 2016, Tom Robinson wrote:
>
>> I've having trouble connecting Windows 8 to libreswan (version 3.15-5) using IKEv2. I get the 809
>> error.
>>
>> The ipsec connection I have configured is copied from another libreswan host (version 3.13-1) that
>> does work (we're migrating) but I can't seem to locate the issue on the new server.
>>
>> The connection appears to succeed on the server. Then, on the Windows 8 client, I see a message
>> "Verifying your credentials" after which I see the "Error 809: ..." message.
>>
>> Here's my log of the connection:
>
>> May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #9: STATE_PARENT_R2: received v2I2,
>> PARENT SA established tunnel mode {ESP/NAT=>0xefe27442 <0x1fd6e1dc xfrm=AES_128-HMAC_SHA1 NATOA=none
>> NATD=165.228.94.4:4500 DPD=active}
>
> So the tunnel came up fine. I am not sure why Windows is rejecting it.
>
I can still connect to the old VPN from the same client. I've scrutinised both the old an new client
settings and can't find anything out of place.
On the server, I've gone over and over again the firewall settings but can't spot anything there either.
>> For my own sanity, is someone able to run their eyes over this?
>
> Looked fine. Perhaps it is a timing/clock issue with the certificate?
I had the same thought yesterday. I did find an ntpd sync issue and fix it (the clock was five
seconds fast). Time is sync'd now but still no joy from the VPN. :-/ I've even rebooted the server.
I have since checked the client's clock and found that five seconds fast as well. I've sync'd that
now to 'Internet Time' under Windows and the time reports the same as the server now. Still no joy
for the Roadwarrior IKE connection, though.
Just so you know, this server will carry three VPNs connections in the long run; two host-to-host
and one Roadwarrior IKE. One of the host-to-host connections uses PSK and the other certificates. I
got the certificate based host-to-host VPNs migrated today and that works fine.
Below is a network trace of the Windows connection being established. Should I be worried about the
Fragmentation? On the firewall I have clamped the MSS to 1400 for IPSEC tunnelling.
1 0.000000000 165.228.94.4 -> 115.70.189.242 ISAKMP 922
2 0.001086847 115.70.189.242 -> 165.228.94.4 ISAKMP 339
3 0.048702978 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
off=0, ID=47b2)
4 0.061718266 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
off=1368, ID=47b2)
5 0.066892052 165.228.94.4 -> 115.70.189.242 ISAKMP 594
6 0.076894733 115.70.189.242 -> 165.228.94.4 IPv4 1514 Fragmented IP protocol (proto=UDP 17,
off=0, ID=848d)
7 0.076953733 115.70.189.242 -> 165.228.94.4 ISAKMP 474
8 1.048806004 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
off=0, ID=47b3)
9 1.061378747 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
off=1368, ID=47b3)
10 1.066515615 165.228.94.4 -> 115.70.189.242 ISAKMP 594
11 1.066817202 115.70.189.242 -> 165.228.94.4 ISAKMP 343
12 2.061653284 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
off=0, ID=47b4)
13 2.074207523 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
off=1368, ID=47b4)
14 2.079655604 165.228.94.4 -> 115.70.189.242 ISAKMP 594
15 2.079883081 115.70.189.242 -> 165.228.94.4 ISAKMP 343
16 14.955166129 115.70.189.242 -> 165.228.94.4 ISAKMP 106
17 15.086739890 115.70.189.242 -> 165.228.94.4 ISAKMP 106
Kind regards,
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160525/caecc7fd/attachment.sig>
More information about the Swan
mailing list