Windows 10
2.2.1.0
requirements.txtWindows 10 fails to connect to the VPN. Message given is "The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices between you and the remote server is not configured to allow VPN connections. This is Error 809.
Install using normal steps. Make sure to say yes to windows 10 support.
Local
Windows 10 connects.
Windows 10 throws error 809.
No installation errors. I'm happy to provide the log if necessary, but it doesn't feel this way.
This feels like an issue with how Windows is fragmenting the packets. But most of the time when I'm totally sure I've narrowed down where the bug is coming from I'm wrong.
Is it possible there's an issue with reassembling UDP packets alltogether? Either they're not making it to the host properly and can't be reassembled, or maybe there's like an iptables rule killing the packets?
Works on a second Windows 10 machine from a different internet connection. Packet reassemblies succeed.
I'm guessing something installed on the first machine has made some sort of changes at the network layer which is mangling packets. I'll have to look into it further after work.
@whitelje I hit this yesterday, but I think Windows was giving the wrong error message. The real issue was that the cert hadn't properly installed. Check that both necessary certs are in the right folders (run certmgr.msc).
Getting this even with both certs copied to the right locations. Did some troubleshooting and seems to have the same issue even on a fresh windows 10 install. Version 1703 (15063.138). Wondering if its something in the creators update breaking things.
I also have seen the issues noted by whitelje, where I could not connect from a Windows 10 VM.
We also share the same ISP, which is a cable provider.
I did some tcpdumps/wireshare to determine why this was failing.
I believe this issue is caused by IP packet fragmentation in your environment. Playing by making MTU lower for interfaces wont solve this, as the issue is that the ISAKMP payload wont fit in a single IP datagram, and this fragmented datagram is dropped upstream from you.
I am proposing that many consumer cable modems are shipping with IP Fragmentation blocks, which is breaking IPSec.
This is config, strongswan requires a windows client send its cert in the IKE_SA_INIT exchange but the IKE_AUTH request was not reaching the VPN server. I also tried to modify strongswan to not request rightsidecert as suggested here: https://wiki.strongswan.org/issues/1485 but it had no effect on the window client behavior.
in my setup the IKE_AUTH request was being fragmented over 2 IP datagrams at 2100ish bytes; I believe the encrypted payload is so big because of RSA certificates. One fix here may be to switch to ECDSA certs, which would likely fit a single IP datagram without fragmentation. OpenSSL CA should handle generation of these and should be supported on modern things.
My solution:
I solved this by noticing that block IP fragmentation was enabled on my cable model (Tp-link Archer CR700).
Advanced, Firewall, Basic, Block Fragmented IP Packets set to Disable.
As soon as fragmentation was permitted, VPN worked as expected.
@MiWCryptAnalytics You are 100% right. Issue was caused my UDP fragmentation being borked by my Edgerouter lite. Thanks for the help!
This is really strange. Can someone contribute a Troubleshooting entry for this? I think it deserves one.
@jcll Can you post how you fixed the fragmentation issue with the ERL? I've got the same router.
Wasn't able to fix the issue. Ended up just pulling it from my network. Going to try to troubleshoot it. But I am guessing it needs a FM fix from ubnt.
Updated the ERL to v1.9.7alpha1 from 1.9.1 and can confirm the issue has been fixed.
I was having fragmentation issues with the IKE_AUTH requests using strongSwan in ubuntu 16.04, but luckily I stumbled across an easy fix in my ipsec.conf file. By setting fragmentation=no in my config file the packet was not fragmented and the connection worked. Hopes this helps save someone else some time!
How do I do the equivalent of the above (darland6 method) in Windows 10? Some router from my ISP is causing the problem if it indeed is the router fragmentation configuration listed above. My apartment ISP and a public one I can log into both don't allow my WIn10 machine to connect but my Androids work fine.
That kinda negates the VPN advantage if a router can set a configuration that defeats it. :) Both my Android devices work fine on both VPNs (I set up two different ones to test ...) but my Win10 can't connect to either.
I tried this registry fix and it didn't work:
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#windows-error-809
@chi11ax this isn't a support forum.
@darland6 set "_fragmentation=no_" in _ipsec.conf_ ,worked for me, thanks!
Most helpful comment
I was having fragmentation issues with the IKE_AUTH requests using strongSwan in ubuntu 16.04, but luckily I stumbled across an easy fix in my ipsec.conf file. By setting
fragmentation=noin my config file the packet was not fragmented and the connection worked. Hopes this helps save someone else some time!