Receive buffer too small, packet discarded. Can I edit strongswan.conf?



  • Hi Everyone.

    I've been getting this error in my pfsense logs: "charon: 03[NET] receive buffer too small, packet discarded"

    It repeats several times a minute. My ipsec connection also drops out after a little while, i'd say about an hour or so? The only useful google result that has turned up for this error is: https://wiki.strongswan.org/issues/340

    I'm connecting to an ipfire machine.

    Is there a way for me to modify the strongswan.conf on pfsense and keep the changes persistent, assuming that is the problem? I made the change on the ipfire machine with no affect so far.

    My pfsense logs are pretty much filled with:

    Nov 13 11:40:49	charon: 08[NET] receive buffer too small, packet discarded
    Nov 13 11:40:45	charon: 08[NET] receive buffer too small, packet discarded
    Nov 13 11:39:29	charon: 08[NET] receive buffer too small, packet discarded
    Nov 13 11:38:47	charon: 08[NET] receive buffer too small, packet discarded
    Nov 13 11:38:24	charon: 08[NET] receive buffer too small, packet discarded
    

    On the ipfire (server) side i'm seeing a lot of this in the logs:

    11:40:46 charon:  15[IKE] initiating IKE_SA home[1] to homeip 
    11:40:46 charon:  15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ] 
    11:40:46 charon:  15[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
    11:40:50 charon:  07[IKE] retransmit 1 of request with message ID 0 
    11:40:50 charon:  07[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
    11:40:57 charon:  10[IKE] retransmit 2 of request with message ID 0 
    11:40:57 charon:  10[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
    11:41:10 charon:  14[IKE] retransmit 3 of request with message ID 0 
    11:41:10 charon:  14[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
    11:41:33 charon:  15[IKE] retransmit 4 of request with message ID 0 
    11:41:33 charon:  15[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
    11:42:15 charon:  06[IKE] retransmit 5 of request with message ID 0 
    11:42:15 charon:  06[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
    11:43:31 charon:  10[IKE] giving up after 5 retransmits 
    11:43:31 charon:  10[IKE] peer not responding, trying again (3/0) 
    


  • @diablo266:

    Is there a way for me to modify the strongswan.conf on pfsense and keep the changes persistent, assuming that is the problem? I made the change on the ipfire machine with no affect so far.

    Edit the code that builds strongswan.conf in /etc/inc/vpn.inc - you probably want to be looking around line 417. You will then need to force a strongswan.conf rebuild - stopping and restarting the ipsec service is probably sufficient (I haven't checked), or you could reboot.

    Be aware that changes made directly to pfSense files will not persist across a firmware update.

    If possible, I would try to edit the configuration to reduce the maximum packet size needed.



  • @David_W:

    If possible, I would try to edit the configuration to reduce the maximum packet size needed.

    Indeed, ipfire is almost certainly doing something wrong, or has a poor config, where it's sending 10000+ bytes there.

    What David noted will work around the issue, and we ought to have that available as a tunable value. But you should really figure out why that's happening and fix the config on the ipfire side.


Log in to reply