Project

General

Profile

Issue #340

Updated by Tobias Brunner almost 7 years ago

Hello forum,
I hope someone can help me here.

We use strongswan 4.5.0-6.48.1 with opensuse 11.4-64 (kernel 2.6.37.6-0.7-default).
That works fine for about 100 users with Win7-Clients (road warriors and homeoffice).
Two days ago, there was a new Microsoft-Patch (931125). Now the clients with that installed patch can't connect via ikev2 any more. Other Clients are working without problems. If we remove the patch, the client works as expected again.

In the messages-log I can find the following information:

<pre>
6568 May 22 15:26:29 vpn-swan charon: 11[NET] sending packet: from 212.xxx.xxx.xxx[4500] to 172.26.0.8[4500]
6569 May 22 15:26:30 vpn-swan charon: 12[NET] received packet: from 172.26.0.21[500] to 212.xxx.xxx.xxx[500]
6570 May 22 15:26:30 vpn-swan charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
6571 May 22 15:26:30 vpn-swan charon: 12[IKE] 172.26.0.21 is initiating an IKE_SA
6572 May 22 15:26:30 vpn-swan charon: 12[IKE] 172.26.0.21 is initiating an IKE_SA
6573 May 22 15:26:30 vpn-swan charon: 12[IKE] sending cert request for "C=DE, …….."
6574 May 22 15:26:30 vpn-swan charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
6575 May 22 15:26:30 vpn-swan charon: 12[NET] sending packet: from 212.xxx.xxx.xxx[500] to 172.26.0.21[500]
6576 May 22 15:26:31 vpn-swan charon: 07[NET] receive buffer too small, packet discarded
6577 May 22 15:26:32 vpn-swan charon: 07[NET] receive buffer too small, packet discarded
6578 May 22 15:26:33 vpn-swan charon: 13[IKE] retransmit 1 of request with message ID 33
6579 May 22 15:26:33 vpn-swan charon: 13[NET] sending packet: from 212.xxx.xxx.xxx[4500] to 172.26.0.8[4500]
6580 May 22 15:26:34 vpn-swan charon: 15[NET] received packet: from 172.26.0.8[4500] to 212.xxx.xxx.xxx[4500]
6581 May 22 15:26:34 vpn-swan charon: 15[ENC] parsed INFORMATIONAL response 33 [ ]
6582 May 22 15:26:34 vpn-swan charon: 10[NET] received packet: from 172.26.0.8[4500] to 212.xxx.xxx.xxx[4500]
6583 May 22 15:26:34 vpn-swan charon: 10[ENC] parsed INFORMATIONAL response 33 [ ]
6584 May 22 15:26:34 vpn-swan charon: 10[IKE] received message ID 33, expected 34. Ignored
6585 May 22 15:26:34 vpn-swan charon: 11[NET] received packet: from 172.26.0.8[4500] to 212.xxx.xxx.xxx[4500]
6586 May 22 15:26:34 vpn-swan charon: 11[ENC] parsed INFORMATIONAL response 33 [ ]
6587 May 22 15:26:34 vpn-swan charon: 11[IKE] received message ID 33, expected 34. Ignored
6588 May 22 15:26:34 vpn-swan charon: 07[NET] receive buffer too small, packet discarded
6589 May 22 15:27:00 vpn-swan charon: 11[JOB] deleting half open IKE_SA after timeout
</pre>


So for me the important hint is "receive buffer too small, packet discarded".

Now I have some questions to this behavior.
Is this a configuration-issue or a bug?
Can it be solved with a update to a new version 4.x or 5.x or can I patch something on the strongswan-gateway?

Please let me know, if you need more information.

With kind regards,
Rolf

Back