[Swan] Windows IKEv2 Error 809

Tom Robinson tom.robinson at motec.com.au
Wed Jun 1 06:35:29 UTC 2016


On 26/05/16 15:49, Tom Robinson wrote:
> I've analysed the packets for both connections (remember; one connection is old and works and the
> other is new and fails).
> 
> On the old connection the IKE_AUTH packet from the client gets fragmented into three and then
> reassembled. It's 3296 bytes on reassembly. The server responds with IKE_AUTH and the connection
> comes up without any further fragmentation. At this stage I see lots of ESP packets coming to and fro.
> 
> On the new connection the IKE_AUTH progresses in the same way as for the old connection (packet from
> the client gets fragmented into three and then reassembled. It's also 3296 bytes). The server
> responds with IKE_AUTH four times but the client seems to ignore it and resends another IKE_AUTH
> packet instead. This packet gets fragmented as before. After packet reassembly, the server then
> responds with IKE_SA_INIT. The client seems to ignore this again and resends another fragmented
> IKE_AUTH. The client gives up with "Error 809".
> 

I'm still stumped by this.

Can someone please clarify the 'fragmentation' setting wrt 'a size larger than 576 bytes' (from the
man page)?

I have a number of ISAKMP (IKE_AUTH) packets received on the client that have been fragmented and
apparently ignored. There are four packets, three of which are 568 bytes, the last being 512 bytes.
They are not being reassembled (according to wireshark) on the client. All four packets have the
"don't fragment" flag set.

Is the 'fragmentation=force' setting missing these packets due to their small size?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160601/5e701096/attachment.sig>


More information about the Swan mailing list