[Swan] Windows IKEv2 Error 809
Tom Robinson
tom.robinson at motec.com.au
Wed May 25 06:32:13 UTC 2016
On 25/05/16 16:22, Tom Robinson wrote:
>> Below is a network trace of the Windows connection being established. Should I be worried about the
>> Fragmentation? On the firewall I have clamped the MSS to 1400 for IPSEC tunnelling.
>>
>> 1 0.000000000 165.228.94.4 -> 115.70.189.242 ISAKMP 922
>> 2 0.001086847 115.70.189.242 -> 165.228.94.4 ISAKMP 339
>> 3 0.048702978 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>> off=0, ID=47b2)
>> 4 0.061718266 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>> off=1368, ID=47b2)
>> 5 0.066892052 165.228.94.4 -> 115.70.189.242 ISAKMP 594
>> 6 0.076894733 115.70.189.242 -> 165.228.94.4 IPv4 1514 Fragmented IP protocol (proto=UDP 17,
>> off=0, ID=848d)
>> 7 0.076953733 115.70.189.242 -> 165.228.94.4 ISAKMP 474
>> 8 1.048806004 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>> off=0, ID=47b3)
>> 9 1.061378747 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>> off=1368, ID=47b3)
>> 10 1.066515615 165.228.94.4 -> 115.70.189.242 ISAKMP 594
>> 11 1.066817202 115.70.189.242 -> 165.228.94.4 ISAKMP 343
>> 12 2.061653284 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>> off=0, ID=47b4)
>> 13 2.074207523 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>> off=1368, ID=47b4)
>> 14 2.079655604 165.228.94.4 -> 115.70.189.242 ISAKMP 594
>> 15 2.079883081 115.70.189.242 -> 165.228.94.4 ISAKMP 343
>> 16 14.955166129 115.70.189.242 -> 165.228.94.4 ISAKMP 106
>> 17 15.086739890 115.70.189.242 -> 165.228.94.4 ISAKMP 106
>
>
> On the firewall I've lowered the MSS to 1398 and it's working now. Why does this connection needs
> two extra bytes to be happy? It's actually traversing the same internet link.
I'm not really understanding what just happened. Although it's connecting now without error I'm
still seeing fragmentation on VPN connection startup:
1 0.000000000 165.228.94.4 -> 115.70.189.242 ISAKMP 922
2 0.001094248 115.70.189.242 -> 165.228.94.4 ISAKMP 339
3 0.064956489 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
off=0, ID=13c1)
4 0.078018322 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
off=1368, ID=13c1)
5 0.083183106 165.228.94.4 -> 115.70.189.242 ISAKMP 594
6 0.148332286 115.70.189.242 -> 165.228.94.4 IPv4 1514 Fragmented IP protocol (proto=UDP 17,
off=0, ID=96ac)
7 0.148368257 115.70.189.242 -> 165.228.94.4 ISAKMP 474
8 0.217055356 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869)
9 0.218572760 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869)
10 0.234054672 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869)
11 0.238590112 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869)
12 0.240755201 165.228.94.4 -> 115.70.189.242 ESP 158 ESP (SPI=0x8c512869)
13 0.245197092 165.228.94.4 -> 115.70.189.242 ESP 414 ESP (SPI=0x8c512869)
From there it seems to be happy enough. Anyone have any clues about this?
Kind regards,
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160525/10180c80/attachment.sig>
More information about the Swan
mailing list