Project

General

Profile

Issue #340

No connections after Win7 Client update (ikev2)

Added by Rolf Bauer over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
4.5.0
Resolution:
Fixed

Description

Hello forum,
I hope someone can help me here.

We use strongswan 4.5.0-6.48.1 with opensuse 11.4-64 (kernel 2.6.37.6-0.7-default).
That works fine for about 100 users with Win7-Clients (road warriors and homeoffice).
Two days ago, there was a new Microsoft-Patch (931125). Now the clients with that installed patch can't connect via ikev2 any more. Other Clients are working without problems. If we remove the patch, the client works as expected again.

In the messages-log I can find the following information:

6568 May 22 15:26:29 vpn-swan charon: 11[NET] sending packet: from 212.xxx.xxx.xxx[4500] to 172.26.0.8[4500]
6569 May 22 15:26:30 vpn-swan charon: 12[NET] received packet: from 172.26.0.21[500] to 212.xxx.xxx.xxx[500]
6570 May 22 15:26:30 vpn-swan charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
6571 May 22 15:26:30 vpn-swan charon: 12[IKE] 172.26.0.21 is initiating an IKE_SA
6572 May 22 15:26:30 vpn-swan charon: 12[IKE] 172.26.0.21 is initiating an IKE_SA
6573 May 22 15:26:30 vpn-swan charon: 12[IKE] sending cert request for "C=DE, …….." 
6574 May 22 15:26:30 vpn-swan charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
6575 May 22 15:26:30 vpn-swan charon: 12[NET] sending packet: from 212.xxx.xxx.xxx[500] to 172.26.0.21[500]
6576 May 22 15:26:31 vpn-swan charon: 07[NET] receive buffer too small, packet discarded
6577 May 22 15:26:32 vpn-swan charon: 07[NET] receive buffer too small, packet discarded
6578 May 22 15:26:33 vpn-swan charon: 13[IKE] retransmit 1 of request with message ID 33
6579 May 22 15:26:33 vpn-swan charon: 13[NET] sending packet: from 212.xxx.xxx.xxx[4500] to 172.26.0.8[4500]
6580 May 22 15:26:34 vpn-swan charon: 15[NET] received packet: from 172.26.0.8[4500] to 212.xxx.xxx.xxx[4500]
6581 May 22 15:26:34 vpn-swan charon: 15[ENC] parsed INFORMATIONAL response 33 [ ]
6582 May 22 15:26:34 vpn-swan charon: 10[NET] received packet: from 172.26.0.8[4500] to 212.xxx.xxx.xxx[4500]
6583 May 22 15:26:34 vpn-swan charon: 10[ENC] parsed INFORMATIONAL response 33 [ ]
6584 May 22 15:26:34 vpn-swan charon: 10[IKE] received message ID 33, expected 34. Ignored
6585 May 22 15:26:34 vpn-swan charon: 11[NET] received packet: from 172.26.0.8[4500] to 212.xxx.xxx.xxx[4500]
6586 May 22 15:26:34 vpn-swan charon: 11[ENC] parsed INFORMATIONAL response 33 [ ]
6587 May 22 15:26:34 vpn-swan charon: 11[IKE] received message ID 33, expected 34. Ignored
6588 May 22 15:26:34 vpn-swan charon: 07[NET] receive buffer too small, packet discarded
6589 May 22 15:27:00 vpn-swan charon: 11[JOB] deleting half open IKE_SA after timeout

So for me the important hint is "receive buffer too small, packet discarded".

Now I have some questions to this behavior.
Is this a configuration-issue or a bug?
Can it be solved with a update to a new version 4.x or 5.x or can I patch something on the strongswan-gateway?

Please let me know, if you need more information.

With kind regards,
Rolf

History

#1 Updated by Tobias Brunner over 6 years ago

  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner

Apparently KB 931125 installs several hundred root CA certificates, resulting in an increased number of certificate requests sent with the IKE_AUTH message. This message now gets larger than the default buffer size for received messages (10000 bytes).

You should try setting charon.max_packet in strongswan.conf to a higher value.

#2 Updated by Rolf Bauer over 6 years ago

Hi Tobias,
thanks a lot for your real quick answer.
That's it! I set the value to 20000, restarted ipsec and it works.

You made my day :)

Kind regards,
Rolf

#3 Updated by Tobias Brunner over 6 years ago

  • Subject changed from no connections after Win7 Client update (ikev2) to No connections after Win7 Client update (ikev2)
  • Description updated (diff)
  • Category changed from charon to configuration
  • Status changed from Feedback to Closed
  • Resolution set to Fixed

Also available in: Atom PDF