[Swan] Windows IKEv2 Error 809

[Paul Wouters]

ESP and packet size should not be affected for IKE AUTH method. So that is odd.

The cert probably hits your mtu and is getting fragmented and possibly your fragments are mistakenly dropped by a firewall.

You can try setting fragmentation=force

Sent from my iPhone

> On May 25, 2016, at 02:32, Tom Robinson <tom.robinson at motec.com.au> wrote:
> 
> On 25/05/16 16:22, Tom Robinson wrote:
>>> Below is a network trace of the Windows connection being established. Should I be worried about the
>>> Fragmentation? On the firewall I have clamped the MSS to 1400 for IPSEC tunnelling.
>>> 
>>>  1 0.000000000 165.228.94.4 -> 115.70.189.242 ISAKMP 922
>>>  2 0.001086847 115.70.189.242 -> 165.228.94.4 ISAKMP 339
>>>  3 0.048702978 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>>> off=0, ID=47b2)
>>>  4 0.061718266 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>>> off=1368, ID=47b2)
>>>  5 0.066892052 165.228.94.4 -> 115.70.189.242 ISAKMP 594
>>>  6 0.076894733 115.70.189.242 -> 165.228.94.4 IPv4 1514 Fragmented IP protocol (proto=UDP 17,
>>> off=0, ID=848d)
>>>  7 0.076953733 115.70.189.242 -> 165.228.94.4 ISAKMP 474
>>>  8 1.048806004 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>>> off=0, ID=47b3)
>>>  9 1.061378747 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>>> off=1368, ID=47b3)
>>> 10 1.066515615 165.228.94.4 -> 115.70.189.242 ISAKMP 594
>>> 11 1.066817202 115.70.189.242 -> 165.228.94.4 ISAKMP 343
>>> 12 2.061653284 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>>> off=0, ID=47b4)
>>> 13 2.074207523 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
>>> off=1368, ID=47b4)
>>> 14 2.079655604 165.228.94.4 -> 115.70.189.242 ISAKMP 594
>>> 15 2.079883081 115.70.189.242 -> 165.228.94.4 ISAKMP 343
>>> 16 14.955166129 115.70.189.242 -> 165.228.94.4 ISAKMP 106
>>> 17 15.086739890 115.70.189.242 -> 165.228.94.4 ISAKMP 106
>> 
>> 
>> On the firewall I've lowered the MSS to 1398 and it's working now. Why does this connection needs
>> two extra bytes to be happy? It's actually traversing the same internet link.
> 
> I'm not really understanding what just happened. Although it's connecting now without error I'm
> still seeing fragmentation on VPN connection startup:
> 
>  1 0.000000000 165.228.94.4 -> 115.70.189.242 ISAKMP 922
>  2 0.001094248 115.70.189.242 -> 165.228.94.4 ISAKMP 339
>  3 0.064956489 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
> off=0, ID=13c1)
>  4 0.078018322 165.228.94.4 -> 115.70.189.242 IPv4 1402 Fragmented IP protocol (proto=UDP 17,
> off=1368, ID=13c1)
>  5 0.083183106 165.228.94.4 -> 115.70.189.242 ISAKMP 594
>  6 0.148332286 115.70.189.242 -> 165.228.94.4 IPv4 1514 Fragmented IP protocol (proto=UDP 17,
> off=0, ID=96ac)
>  7 0.148368257 115.70.189.242 -> 165.228.94.4 ISAKMP 474
>  8 0.217055356 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869)
>  9 0.218572760 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869)
> 10 0.234054672 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869)
> 11 0.238590112 165.228.94.4 -> 115.70.189.242 ESP 126 ESP (SPI=0x8c512869)
> 12 0.240755201 165.228.94.4 -> 115.70.189.242 ESP 158 ESP (SPI=0x8c512869)
> 13 0.245197092 165.228.94.4 -> 115.70.189.242 ESP 414 ESP (SPI=0x8c512869)
> 
> From there it seems to be happy enough. Anyone have any clues about this?
> 
> Kind regards,
> Tom
>